My frequent co-conspirator, Ryan Petrich, and I submitted a response to the U.S. government’s Request for Information on Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software (CISA-2023-0027).

Secure by Design is a strategy we believe can nurture a future where technology is safe, secure, and resilient. But Secure by Design is a zeitgeisty topic that could be distorted into security theater or captured by crusty vendors to benefit themselves.

Indeed, we fear the whitepaper in question is overly focused on “forcing” organizations to prioritize security equally to business success rather than understanding what principles and practices would lead to the outcomes we need as a global software community. Many of the recommendations incentivize lip service, for software manufacturers to “prove” their commitment to security through words rather than actions.

We believe this is woefully misguided. We believe Secure by Design can align with business priorities like software velocity, developer productivity, and reliability in production. We believe in outcomes rather than outputs. So, our response enumerates principles and practices that software engineering teams can adopt without getting fired for ignoring business goals.

Similar to our prior RFI response on open source security, our commentary is exhaustive since we wanted to not only offer our expertise but enumerate as many potential opportunities for organizations to apply secure by design in practice as we could in light of only finding out about the RFI a week before it was due. In that vein, for those of you looking for, “How should my software engineering team(s) start investing in secure by design?” we suggest you read Section 1.2.1 in our response.

Our response begins with overall commentary on CISA’s whitepaper, both where we agree and, more often, where we disagree – but proposing ample alternatives along the way. After that, we address multiple question areas from the RFI ranging from economic incentives and dynamics; threat modeling; education; and more.

We are publishing our response in the spirit of transparency; you can read it at the following link: https://kellyshortridge.com/papers/CISA-2023-0027-Shortridge-Sensemaking.pdf

In the spirit of shepherding the Secure by Design movement towards the resilient future we envision, we feel privileged to submit our recommendations for CISA to consider as they navigate how to nourish Secure by Design in practice.

Note that we are submitting as Shortridge Sensemaking LLC. The views expressed in our response are not necessarily the views of our employers or any of their affiliates. The information contained herein is not intended to provide, and should not be relied upon for, investment advice (which we would hope is obvious).

Enjoy this post? You might like my book, Security Chaos Engineering: Sustaining Resilience in Software and Systems, available at Amazon, Bookshop, and other major retailers online.