Recognizing that cyber criminals increasingly exploit software vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken the lead with a new resource for software customers—the “Secure by Demand Guide.” The Guide is part of CISA’s ongoing effort to strengthen the cybersecurity resilience of businesses, organizations, and government agencies nationwide. The guide aims to help software customers actively strengthen the security of the software products they acquire.
Key Recommendations for Software Customers
CISA’s Guide offers software customers several ways to enhance their security through more thoughtful procurement practices. Here are the core takeaways:
1. Prioritize Security as a Key Criterion: Organizations should treat security as a mandatory requirement, not an afterthought. CISA recommends that buyers prioritize security features when evaluating new software, setting a baseline for security that aligns with their risk appetite. This includes asking vendors about their security testing, vulnerability management practices, and compliance with recognized application security standards.
2. Use Security Questions in RFIs and RFPs: When organizations issue Requests for Information (RFIs) or Requests for Proposals (RFPs), they should include specific questions about the vendor’s security practices. The guide provides examples of such questions; for instance, whether the vendor performs regular security audits, follows secure coding and software development lifecycle (SDLC) practices, and their measures for incident response.
3. Demand Transparency and Accountability: Vendors should be transparent about their software development processes, security protocols, and vulnerability remediation. The guide emphasizes that customers must request detailed information about how vendors address security flaws, whether they participate in bug bounty programs, and how they manage security patches and updates.
4. Negotiate Security Requirements into Contracts: CISA advises customers to include specific security requirements in their contracts with software vendors. These might include service-level agreements (SLAs) for security updates, requirements for prompt disclosure of vulnerabilities, or mandates for regular third-party security assessments.
5. Collaborate with Vendors on Long-Term Security: Since security is a dynamic process, organizations should seek long-term partnerships with trusted vendors who are committed to continuously improving their software’s security. This partnership could include negotiating the right to audit security practices or establishing communication channels to share information about emerging threats and mitigations.
Driving a Shift in the Software Development Market
CISA highlights that if more organizations begin demanding more robust security from software vendors, it will drive a shift across the entire software development market. Software manufacturers will be incentivized to prioritize security to remain competitive and increase their bottom line. In this way, software buyers can play a critical role in shaping the future of secure software development.
This is a timely guide as both private and public sector organizations face increasing cyberattacks, many of which exploit software vulnerabilities. The importance of proactive cybersecurity measures has never been more pressing, especially when critical infrastructure is at a heightened risk.
Implications for Business and Government
With businesses quickly becoming software-driven entities, the CISA guide is particularly relevant for industries that rely heavily on software to run critical operations, such as healthcare, finance, and utilities. By adopting these best practices, businesses can reduce their exposure to software-related risks while signaling to vendors that security is non-negotiable.
For government agencies, this guide dovetails with the broader push for more robust cybersecurity across the federal ecosystem, as outlined in recent executive orders. Agencies can use this guide to ensure that the software they procure meets federal cybersecurity standards and contributes to the overall security of the government’s IT infrastructure.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.