TLP:CLEAR Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security -by- Design and -Default Publication: April 13, 2023 Cybersecurity and Infrastructure Security Agency NSA | FBI | ACSC | NCSC -UK | CCCS | BSI | NCSC -NL | CERT NZ | NCSC -NZ Disclaimer: This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.cisa.gov/tlp/. TLP:CLEAR 2 CISA | NSA | FBI | ACSC | NCSC -UK | CCCS | BSI | NCSC -NL | CERT NZ | NCSC -NZ TLP:CLEAR Table of Contents Table of Contents ...................................................................................................................... 2 Overview: Vulnerable by Design .............................................................................................................. 3 Secure -by-Design ........................................................................................................................ 4 Secure -by-Default ........................................................................................................................ 5 Recommendations for Software Manufacturers .................................................................................... 6 Software Product Security Principles ........................................................................................ 6 Secure -by-Design Tactics .......................................................................................................... 8 Secure -by-Default Tactics ........................................................................................................ 10 Hardening vs loosening guides ............................................................................................................ 12 Recommendations for Customers ........................................................................................................ 12 Disclaimer .............................................................................................................................................. 13 Resources .............................................................................................................................................. 13 TLP:CLEAR 3 CISA | NSA | FBI | ACSC | NCSC -UK | CCCS | BSI | NCSC -NL | CERT NZ | NCSC -NZ TLP:CLEAR OVERVIEW: VULNERABLE BY DESIGN Technology is integrated into nearly every facet of daily life. Internet-facing systems are connected to critical systems that directly impact our economic prosperity, livelihoods, and even health, ranging from personal identity management to medical care. As only one example, cyber breaches have resulted in hospitals cancelling surgeries and diverting patient care globally. Insecure technology and vulnerabilities in critical systems may invite malicious cyber intrusions, leading to serious potential safety 1 risks. Now more than ever, it is crucial for technology manufacturers to make Secure-by -Design and Secure-by -Default the focal points of product design and development processes. Some vend ors have made great strides driving the industry forward in software assurance, while others lag behind. The authoring agencies strongly encourage every technology manufacturer to build their products in a way that prevents customers from having to constan tly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions. Manufacturers are encouraged to take ownership of improving the security outcomes of their customers. Historically, technology manufacturers have relied on fixing vulnerabiliti