Prioritize product security to be resilient against cyberattacks

Software security is a key consideration for any organization conducting business digitally.

Recognizing this, on August 12, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem. The guide helps organizations ensure their software manufacturers prioritize security from the start by providing questions, considerations and resources to integrate product security throughout the procurement lifecycle.

The guide also complements the recently published Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle.

The importance of adequate cybersecurity measures grows as more organizations digitally transform their operations. As a result, it should become commonplace for software customers to be diligent about and demand security measures as part of their procurement process.

Secure by Design

Secure by Design is a software concept that prioritizes security from the outset of the product development lifecycle by software manufacturers – those that create, ship and maintain software. Three Secure by Design principles for manufacturers are:

  1. Taking ownership of customer security outcomes;
  2. Embracing radical transparency and accountability; and,
  3. Building an organizational structure and leadership to achieve these goals.

A focal point of the Secure by Design concept is manufacturers ensuring that their products are secure so that customers can be more resilient against ransomware and other forms of malicious activity. Traditionally, software customers have focussed on manufacturer’s enterprise security measures, letting specific product security fall by the wayside. For context, enterprise security refers to practices that protect the software manufacturers infrastructure and operation. Meanwhile, product security refers to measures implemented into specific software products by the manufacturer so the software remains secure against attackers when in operation.

Software customers can integrate product security by taking different steps at different stages of the procurement lifecycle:

ONE. Before procurement, the software purchaser should ask vendors questions to understand their approach to product security.

Examples of important questions to ask before procurement are:

  • How does the manufacturer implement security patches and enable functionality for automatic updates?
  • How should the product support secure authentication, for example, does the software enable multi-factor authentication?
  • Has the software manufacturer eliminated default passwords or reduced the use of default passwords?
  • How has the manufacturer addressed software defects and vulnerabilities?
  • How does the manufacturer address its supply chain security (for example, third party dependencies and open-source)?
  • Does the manufacturer make security logs available to the software purchaser?

TWO. During procurement, customers should integrate product security requirements into contract language.

THREE. Following procurement, customers should continually assess manufacturer’s product security and security outcomes.

The Privacy, Data Protection & Cybersecurity team at MLT Aikins has significant experience with assisting clients throughout the procurement process to assist them in being more resilient against cyberattacks.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.