‘Secure by design’ offers chance for some companies to win back trust

Following alerts of threat actors exploiting vulnerabilities in IT services company Ivanti’s Connect Secure and Policy Secure gateway products, CEO Jeff Abbott wrote an open letter on April 3 committing to a philosophy increasingly touted by government and industry: secure by design.

The framework—one supported by CISA, the Biden administration, and tech giants like Google—embeds security in all phases of the development process. Targeted companies like Ivanti and SolarWinds, which have faced attacks on their own products, hope that their emphasis on secure by design builds trust in code and trust with their customer base.

“When there was a swirl around us like there was, it did necessitate a strong response,” Abbott told IT Brew.

In the open letter, Abbott emphasized the company’s path down a “new era,” emphasizing a critical look at all phases of development and pledging a revamp of vulnerability management practices, partnerships with cyber agencies, and information-sharing efforts with customers.

“We are committed to a broad shift that fundamentally transforms the Ivanti security operating model,” Abbott wrote.

CISA says. During a Feb. 27, 2023 speech at Carnegie Mellon, CISA Director Jen Easterly laid out the basics of secure by design, or core principles for tech makers to build product safety into their design processes:

• Product safety should not fall on the consumer alone.
• Manufacturers must embrace “radical transparency” about the nature of customers’ security challenges.
• Tech makers must publish a secure “roadmap,” demonstrating how products will be built safely.

Easterly cited a number of practices, including moving to memory-safe languages (ones like Rust, Go, Python, and Java that prevent the insertion of some bugs), having a transparent vulnerability disclosure policy, and secure coding practices.

CISA updated its secure by design framework October 2023,and a pillar of the Biden administration’s 2023 National Cybersecurity Strategy calls for vendors to take responsibility for security design.

Attesting 1, 2, 3. On March 18, CISA released a secure software self-attestation form, which identifies minimum secure development requirements for software used by federal agencies. Checklist items include logging, “provenance” capabilities to show code sources. and vulnerability-disclosure programs. SolarWinds, which suffered a supply-chain attack in 2019, announced its completion of the form and alignment with the CISA-approved principles.

“We think we can go to our federal customers and say, ‘Hey, we know you’re going to be asked to collect self-attestations, SBOMs. You’re going to be asked to get an understanding of how your software vendors are implementing zero trust. And here’s our answers to all of those questions.’ So, it’s easier to buy our product than somebody else who can’t answer those questions,” Chip Daniels, VP, government affairs at SolarWinds, told IT Brew.

SolarWinds began a reassessment of its build process following the cyberattack on its system-management tool, halting development for six months to consider a different design approach, according to Daniels. Threat actors compromised clients when SolarWinds inadvertently delivered malicious code as an update to the company’s Orion software.

“We believe that in order to rebuild trust with those customers, we need to show that we take [security] very seriously,” Daniels said, citing that the company has changed how it develops software: later aligning with NIST’s secure software development framework, regular penetration testing, and a parallel-build approach (multiple coders working on the same project in separate environments) that helps to recognize any improperly injected code.

Srinivas Mukkamala, Ivanti’s chief product officer, said the company will reshape development teams, and the coders’ work will face increased scrutiny from an embedded security tester, a security architect, and a pod leader accountable for reporting to a secure by design lead.

“Anybody who’s getting into secure by design has to assess to developers: Are they trained or not trained? That’s where it starts, I would say it’s at least 10 to 20% more overhead on your existing traditional development process,” Mukkamala told IT Brew.