Security by Design in 2024: Principles, Practices, and Regulations

Shlomit Cymbalista
Shlomit Cymbalista

10  min read | min read | 01/05/2024

What Is Security by Design

Security by design is the practice of integrating security as a core principle in the entire software and hardware development lifecycle to prevent security vulnerabilities and mitigate security risks. This is done through controls such as adherence to secure coding practices, robust testing, strong authentication, and continuous monitoring in production.

It is far more effective and less costly to design a system with security in mind from day one than to discover vulnerabilities and patch security holes only after a product is released to the market. Security by design allows organizations to build security into a product from the ground up.

Security by design is becoming an inseparable part of many industries, from software engineering to cloud computing to the Internet of Things (IoT). IoT devices, especially those used for sensitive applications like healthcare, present significant security risks and are becoming a central focus for security by design practices.

In addition, regulations and standards such as NIST SP 800-160, the U.S. PATCH Act, IEC 62443, EU Cyber Resilience Act, and new FDA guidelines for medical devices, are mandating security by design principles for many types of software and hardware.

 

Benefits of Secure by Design

Security by design offers numerous advantages for organizations developing digital products or systems. Here are some key benefits:

  1. Better security posture: Security by design ensures that security is an integral part of the product architecture, not just an add-on. This leads to stronger security controls that are less likely to be bypassed or compromised.
  2. Reduced costs: Integrating security from the initial stages of development can significantly reduce the costs associated with fixing vulnerabilities post-release. It’s much cheaper to address security issues during the design phase than to patch them after a product is already in use.
  3. Improved compliance: With increasing regulatory requirements around data protection and security, secure design helps organizations comply with these laws from the outset. This proactive approach can prevent costly legal and regulatory penalties.
  4. Enhanced reputation: Organizations that prioritize security in their product design are likely to build a stronger reputation for reliability and trustworthiness.
  5. Faster time to market: By addressing security early in the development process, organizations can avoid delays related to security concerns that might arise during the later stages of development or after deployment.

CISA Secure by Design Principles and Practices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released official guidance to help the private sector ensure products and technologies are secure by design. 

Principle 1: Take Ownership of Customer Security Outcomes

Software manufacturers are encouraged to prioritize the security and resilience of their products from the onset. This includes employing practices like application hardening, which involves techniques to make software more resistant to attacks, such as using memory-safe programming languages, parameterized queries to prevent SQL injections, and rigorous software development lifecycle management. 

Manufacturers are also advised to incorporate security features that enhance the cybersecurity posture of their users, like multifactor authentication (MFA) and role-based access control. Additionally, setting secure configurations as the default is critical to ensure that users start with the highest level of security.

Principle 2: Embrace Radical Transparency and Accountability

Manufacturers should commit to transparency regarding their security practices and the performance of their products. This includes the thorough documentation of vulnerabilities and taking accountability for security flaws. 

Transparency not only helps in building trust with customers but also sets industry standards for what constitutes robust security practices. Manufacturers are expected to continuously share information, such as the rate of adoption of security features among users and detailed responses to security incidents.

Principle 3: Build Organizational Structure and Leadership to Support Security Goals

The top management within organizations should lead by example by prioritizing security in their business strategies. This involves aligning the company’s leadership with security goals and ensuring that security considerations are embedded in the product development process. 

Executives need to be actively involved in fostering a culture that values security, which helps in the practical implementation of security controls throughout the product’s lifecycle.

Secure By Design Practices

To support these principles, the CISA guidelines suggest a variety of operational tactics.

Eliminate Default Passwords

  • Software should require users to establish a unique, strong password during the initial setup process instead of providing a default password.
  • For devices, each unit could come with a randomized, strong password that is unique to each device.

Conduct Field Tests

  • Regularly perform security testing in real environments to understand how users interact with the product and to identify potential security gaps.
  • Field tests can include user behavior analysis to detect and mitigate possible misuse or unintended security risks.

Make Hardening Easier

  • Streamline security guidance to focus on essential practices that users can easily implement.
  • Automate security settings wherever possible to minimize the need for manual configuration and reduce human error.

Actively Discourage Use of Unsafe Legacy Features

  • Provide clear migration paths for users to move from older, less secure features to updated, more secure alternatives.
  • Use software updates to phase out legacy features that pose security risks.

Implement Attention-Grabbing Alerts

  • Design alerts to notify administrators and users of insecure settings or configurations actively.
  • Such alerts should be prominent and persistent until the security risk is mitigated.

Create Secure Configuration Templates

  • Offer pre-configured security settings that align with the best security practices for various levels of risk.
  • Templates should help users quickly establish a secure environment without needing extensive security knowledge.

Secure Product Development Practices

Document Conformance to Secure SDLC Frameworks

Implement Vulnerability Management

  • Develop a robust vulnerability management program that not only addresses known vulnerabilities but also seeks to predict and mitigate future vulnerabilities.
  • Use automated tools to continuously scan for vulnerabilities and implement systematic patches.

Utilize Open Source Software Responsibly

  • Conduct thorough security reviews of open source components before integration.
  • Contribute to the security of open-source projects by submitting patches and supporting the community.

Provide Secure Defaults for Developers

  • Ensure that the default development environment is configured with security in mind.
  • Offer libraries and tools that promote secure coding practices to prevent common vulnerabilities like memory corruption, SQL injection or cross-site scripting (XSS).

Foster a Security-Conscious Developer Workforce

  • Incorporate security training and awareness into the developer onboarding process.
  • Regularly update training materials to cover emerging security threats and best practices.

Pro-Security Business Practices

Provide Logging at No Additional Charge

  • Ensure that all products generate detailed security logs by default, which are crucial for detecting and responding to security incidents.
  • Offer easy integration with existing security information and event management (SIEM) systems.

Eliminate Hidden Charges

  • Commit to providing all necessary security features without additional charges, reinforcing that security is a fundamental right, not a premium service.

Embrace Open Standards

  • Support and implement open standards for network and identity protocols to enhance interoperability and security across different systems and services.

Provide Upgrade Tooling

  • Offer resources, such as free test licenses and environments, to encourage users to safely test and deploy updates that include new security features and fixes.

Security by Design Regulations and Guidelines in the U.S.

In many countries, and for many types of devices, security by design is becoming a regulatory requirement, and not simply a recommendation. Here are a few important laws and standards that mandate security by design for IoT devices.

Systems Security Engineering (NIST)

The National Institute of Standards and Technology provides reliable security-by-design guidelines, such as NIST SP 800-160. This publication combines established security standards, focusing on engineering practices and techniques. It forces organizations to consider the entire operational life cycle.

The first two chapters define the security-by-design concepts and methods, outlining the core principles that allow organizations to apply them and customize them to the organization’s environment.

 

PATCH Act

The “Protecting and Transforming Cyber Healthcare Act” or PATCH Act aims to ensure the cybersecurity of medical devices. As more Internet of Medical Things (IoMT) devices join healthcare networks, these networks become more vulnerable to threats such as ransomware attacks.

IoMT devices often lack strong authentication and rely on vulnerable software, making it crucial to improve their security. The PATCH Act focuses on providing cybersecurity governance for medical device manufacturers but also affects healthcare organizations. Both device manufacturers and healthcare systems must address insecure legacy IoMT devices.

FDA Guidance for Cybersecurity and Medical Devices

The FDA updated its guidelines for cybersecurity in medical devices in September 2023. These new guidelines emphasize the importance of incorporating security controls throughout the medical device lifecycle, from design to post-market activities. Key aspects of the updated guidelines include:

  • Pre-market requirements: Manufacturers are required to provide a clear description of cybersecurity risks associated with their devices and the measures taken to mitigate these risks. This includes evidence of adherence to security by design principles.
  • Risk management: The guidelines stress the need for ongoing risk management and encourage manufacturers to adopt a continuous approach to monitoring, identifying, and mitigating cybersecurity threats.
  • Transparency with users: Manufacturers must inform users about the cybersecurity features of devices and any potential vulnerabilities. This includes clear instructions on how to securely configure and manage the devices.
  • Post-market surveillance: The FDA mandates rigorous post-market surveillance to quickly identify and address new vulnerabilities or exploits that could compromise device functionality or patient safety.
  • Reporting requirements: There is an emphasis on timely reporting of cybersecurity incidents that could impact device functionality or compromise patient data, ensuring that the FDA and the public are informed of potential risks.

Security by Design Regulations and Guidelines in Europe

EU Cyber Resilience Act

The EU Cyber Resilience Act (CRA), which was formally approved in March 2024 (final vote set for June 2024), is a legal framework designed to secure hardware and software products with digital elements throughout the European market. This legislation mandates manufacturers to implement comprehensive security controls across the product lifecycle, addressing the previously fragmented and inconsistent regulations that increased compliance costs and legal uncertainties. 

The scope of the CRA is extensive, applying to a diverse range of digital products from everyday devices like smartphones and laptops to specialized equipment such as smart meters and industrial control systems.

Key provisions of the CRA include:

  • Product cybersecurity requirements: As specified in Annex I, Section 1, these requirements mandate regular security updates and heightened defenses against vulnerabilities.
  • Vulnerability handling process: Defined in Annex I, Section 2, this requires a systematic approach to managing vulnerabilities, including prompt communication and patch distribution.
  • Harmonization: The CRA emphasizes the creation of harmonized standards by European Standardisation Organizations (ESOs), which are essential for mapping out and addressing the cybersecurity needs as outlined in the Act.
  • Legislative approval: The Act received strong legislative backing, being approved by the European Parliament and is awaiting formal adoption by the Council to be fully enacted.

Code of Practice for Consumer IoT Security and UK IoT Security by Design

The UK’s Code of Practice for Consumer IoT Security, established to enhance the security of Internet-connected devices within the consumer market, serves as part of the nation’s efforts to fortify IoT devices against cyber threats. Key elements of the code include:

  • No default passwords: Consumer IoT devices must be supplied without universal default passwords, requiring users to set a unique password during initial setup.
  • Vulnerability disclosure policy: Manufacturers must provide a public point of contact as part of a vulnerability disclosure policy to ensure that any potential security issues can be reported and addressed promptly.
  • Updated software: Devices must support timely and secure updates for a specified period after sale, and this period should be clearly communicated to the consumer.
  • Secure communication: All device communications should be encrypted, and personal data protected to prevent interception and unauthorized access.

This approach aims to protect consumers and reduce the overall risk IoT devices might pose to the Internet and other connected devices due to their interconnected nature.

 

Challenges of Security by Design and How to Overcome Them

Here are some of the main challenges associated with incorporating security into the design of a product.

Achieving a Cultural Shift 

Implementing security by design requires a fundamental shift in organizational culture. Traditionally, security has often been considered a secondary aspect, dealt with after the primary functional requirements of a product. 

However, for a secure design approach to be effective, security needs to be regarded as an essential component of the initial design process, just as critical as functionality or user experience. This cultural shift can be challenging as it demands changes in mindset and priorities from the top management down to the development teams.

How to overcome:

  • Leadership commitment: Top management must visibly support and drive the security initiatives, demonstrating the importance of security to the entire organization.
  • Training and awareness: Regular training sessions should be organized to raise awareness about the importance of security among all employees, from developers to executives.
  • Incentivize security practices: Introduce incentives for teams that successfully integrate security in the early stages of product development, reinforcing the behavior organization-wide.

Enabling Complex Coordination

Security by design necessitates intricate coordination between multiple teams across an organization. From system architects and developers to security specialists and operations teams, everyone must work in harmony. This coordination becomes particularly challenging in large or geographically dispersed teams. 

Ensuring that all parties have a consistent understanding of security objectives and are aligned in their approach can delay project timelines and complicate workflows, especially when integrating multiple complex systems that each have their own security requirements.

How to overcome:

  • Centralized communication tools: Implement tools that facilitate seamless communication and documentation sharing among teams.
  • Regular cross-departmental meetings: Establish routine meetings where all relevant teams can synchronize their work and align on security goals.
  • Unified security frameworks: Adopt standardized security frameworks across the organization to ensure consistency in security practices.

Balancing Usability and Security

One of the critical challenges is balancing security controls with user experience. Overly stringent security controls can make a system cumbersome to use, potentially driving away users or leading to unsafe workarounds that compromise security. 

Designing systems that are both secure and user-friendly requires a deep understanding of user behavior and needs, which can be difficult to achieve without compromising on one aspect or the other.

How to overcome:

  • User-centered design: Involve users early in the design process to ensure that security features do not hinder usability.
  • Iterative testing and feedback: Use iterative testing cycles that allow for user feedback to refine security controls without compromising user experience.
  • Flexible security options: Offer users some level of control over security settings, allowing them to make informed decisions based on their needs, while ensuring secure default configurations.

Integrating with Existing Systems

Integrating security from the ground up in new designs is manageable, but incorporating these principles into existing systems presents a significant challenge. Many organizations use legacy systems that weren’t designed with security in mind. 

Updating these systems to incorporate modern security controls without disrupting existing operations requires careful planning and execution. This often involves complex updates and the potential risk of introducing new vulnerabilities during integration.

How to overcome:

  • Phased integration: Implement security enhancements in phases to minimize disruption and allow for adjustment as systems integrate.
  • Legacy system assessment: Conduct thorough security assessments of legacy systems to identify and prioritize areas for improvement.
  • Use of adaptors and APIs: Where possible, use adaptors and APIs to interface securely with legacy systems, adding layers of security without altering the core architecture extensively.

 

Security by Design for the Internet of Things (IoT) with Sternum

Many IoT devices were not designed with security in mind. Until now, it was very difficult to “retrofit” security into a non-secure IoT device without completely redesigning it. Sternum can help take legacy IoT devices that are already in the field and bring them closer to the level of security and compliance of secure-by-design development.

Sternum is an IoT security and observability platform. Embedded in the device itself, it provides deterministic security with runtime protection against known and unknown threats; complete observability that provides data about individual devices and the entire device fleet; and anomaly detection powered by AI to provide real-time operational intelligence.

Here is how Sternum can help you improve IoT security to meet regulatory requirements:

  • Agentless security – integrates directly into firmware, making it a part of the core build This ensures that the solution cannot be externally compromised and leveraged as a point of failure, making the device ‘secure by design’.
  • Automatic mitigation of known and zero-day threats – prevents 96.5% of attacks in benchmark (RIPE) security tests. Its vulnerability-agnostic approach makes it equally effective in dealing with known and zero-day threats. This not only improves security but can also cut security patch management costs by as much as 60%.
  • Supply chain protection – relies on binary instrumentation, making it able to protect all running code. This extends to 3rd party and operating system libraries, effectively preventing all supply chain exploit attempts.
  • Protection of isolated devices – does not rely on external communication to secure devices, making it equally effective for connected and isolated devices.
  • Live attack information with zero false positives – real-time alert system notifies about all blocked attacks, providing – for each – detailed logs and attack path analysis. The deterministic nature of EIV’s integrity checks ensures that all alerts are always valid.
  • Streamlined compliance – helps meet the latest cyber regulations for IoT devices (IEC 62443, FDA, NIST, etc) and the most current FBI recommendations for Internet of Medical Things (IoMT) endpoint protection.

‍Learn more about Sternum IoT security >>  | ‍Learn more about Sternum IoT observability >>

Related content: Read our FDA cybersecurity guide or our comprehensive piece about Post Market Surveillance

JUMP TO SECTION

Enter data to download case study

By submitting this form, you agree to our Privacy Policy.