ACSC releases recommendations for software vendors to adopt secure practices

Australia has joined its international cybersecurity partners and issued recommendations for software manufacturers to adopt secure-by-design and secure-by-default practices.

The Australian Cyber Security Centre (ACSC) has also urged customer organisations to hold their software manufacturers and suppliers to these standards.

Abigail Bradshaw, head of the ACSC, stressed that cybersecurity could not be an afterthought and that consumers deserved products that were secure from the outset.

Authors of the Shifting the Balance of Cybersecurity Risk: Secure-By-Design and Default Principles Guide, co-written by the ACSC alongside fellow cyber agencies in the US, Canada, the UK, Germany, the Netherlands, and New Zealand, urged technology manufacturers to build their products “in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions.”

Historically, technology manufacturers relied on fixing vulnerabilities found after customers have deployed the products, requiring the customers to apply those patches at their own expense.

The ACSC stated in its guide that only by tech developers incorporating secure-by-design practices can organisations break the vicious circle of creating and applying fixes.

Products that are ‘secure-by-design’, the guide specified, were those where the security of customers was a core business goal, not simply a technical feature, with this goal baked in before development has even started.

Following this, secure-by-default products were those that were secure to use “out of the box” with little to no configuration changes necessary and security features available without additional cost.

“Together, these two principles move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues,” the ACSC said in a statement.

The ACSC, alongside the US Government’s Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and international partners (listed below), provide in the guide a roadmap for technology manufacturers to increase the security of their products:

  • Canadian Centre for Cyber Security (CCCS)
  • United Kingdom’s National Cyber Security Centre (NCSC-UK)
  • Germany’s Federal Office for Information Security (BSI)
  • Netherlands’ National Cyber Security Centre (NCSC-NL)
  • New Zealand’s National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)

“The authoring agencies recognise the contributions by many private sector partners in advancing security-by-design and security-by-default,” the ACSC said.

“This product is intended to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.

Toward that end, the authoring agencies seek feedback on this product from interested parties and intend to convene a series of listening sessions to further refine, specify, and advance our guidance to achieve our shared goals.”