“Secure By Design and Default” in Your Cybersecurity Team

What the Three “Secure by Design and Default” Software Product Security Principles Mean for Your Cybersecurity Team

Bad security happens because we protect only one attack surface at a time or when a new regulation tells us to. We are “Vulnerable by Design.” (CISA). There is no way we can continue keeping products and even ourselves secure if we rely on humans to take action to keep their security posture current. “Secure by Design and Default” wants to change how we design products from the beginning of the process by injecting security from day one.

“Secure by Design and Default” is an approach to security product development where customer-centric security requirements are injected into product development from the beginning and products are released in a state where customers are secure “out-of-the-box.”

Many of us in the DevSecOps world already strive to do this with our own projects. In reality, our software supply chain relies on many open-source and third-party vendors to keep us afloat. Many of these software and hardware products require us to keep them current with security patches. I don’t know about you; product currency stories in our backlog usually don’t get the highest priority. Balancing priorities among customer features, security, and engineering operations means that…