Fundamental principles to ensure a safer digital environment at the heart of Fortinet's secure product development lifecycle
In today's rapidly evolving cybersecurity landscape, given the increasing number of threats and adversaries and the shortage of cybersecurity skills, organizations must work with providers who take ownership of security management by removing the burden of operating a secure infrastructure. This starts with developing and deploying solutions based on the principles of security by design and security by default.
This month, the Cybersecurity & Infrastructure Security Agency (CISA) and 17 American and international partners published an update of the joint Secure by Design product, " Shifting the Balance of Cybersecurity Risk : Principles and Approaches for Secure by Design Software ". According to CISA, these updated guidelines "build on three core principles: taking ownership of customer security outcomes, embracing radical transparency and accountability, and leading from the top".
To achieve this, the foundation of any secure product development lifecycle (SDLC) must incorporate secure-by-design and secure-by-default principles. At Fortinet, this concept is embedded in our SDLC policy from the earliest stages of development and is part of our Fortinet SDLC policy and its 10 associated Fortinet principles. We believe this should be the case for all security vendors.
Secure by design
Security by design is a fundamental cybersecurity approach that ensures security is not applied as an afterthought, but is an integral part of the development process. Security must be embedded in the very DNA of every product, application and service. When something is secure by design, it is built with the understanding that security must be a natural function of the solution, rather than something that needs to be added later.
Why is security by design so important for cybersecurity vendors?
By adopting a security-by-design strategy, cybersecurity providers ensure that their solutions are intrinsically robust, minimizing vulnerabilities from the outset and reducing the need for patches and updates. When security is inherent to the design process and techniques such as threat modeling are used before a single line of code is written, the risks of breaches, vulnerabilities, and costly security incidents are significantly reduced.
Such secure design practices can help providers establish and, most importantly, maintain the trust of their clients, which is essential in a sector where trust can be lost faster than it can be built.
Secure by default
Secure by default takes the concept of secure by design a step further. When a client deploys a cybersecurity solution, it must already be configured with the most secure settings defined by default. IT teams can then consciously choose to relax specific security parameters rather than having to enable them. This is the opposite approach to most traditional solutions, which were based on ease of system deployment, then requiring the client to find ways to harden the solution, often leaving critical systems unprotected.
The benefits of security by default for cybersecurity providers
Security by default turns the table, meaning the user does not need to be a cybersecurity expert to ensure their protection. Instead, by making security the default configuration, organisations are protected from the outset, without having to configure complex settings. This minimises the risk of human error while strengthening or improving protection and accelerating deployment.
By implementing security best practices from the start, security by default offers a more user-friendly security posture, ensuring that organisations are well protected from the outset, thereby improving customer satisfaction.
A new approach is required when implementing security by design and security by default
With this new paradigm in place, configuring a cybersecurity solution may require starting with a secure-by-default implementation, then making adjustments for individual users who need to operate within the expanding attack surface.
Overall, these investments are beneficial for both vendors and customers, as they prevent configuration issues that can lead to breaches, while helping to maintain customer trust and uphold secure-by-design and secure-by-default protections.
Conclusion
Fortinet has committed to implementation of these objectives for several years. It is timely and reassuring that CISA, NSA, the UK's NCSC, Canada's CCCS, Australia's ASD/ACSC, and several other organizations have taken the crucial step of proactively recommending that all vendors adopt a secure-by-design and secure-by-default methodology as an integral part of their product and service development lifecycle. These new standards will guide vendors in their contribution to a safer digital environment for all.