Sherri Davidoff’s Post

When selecting software, don’t just focus on features—demand security!🔒 Key questions to consider: • How is security embedded in the development cycle? • How are vulnerabilities handled by the vendor? Access the complete guide by CISACyber👇

'In this guidance, we lay out questions and resources that organizations buying software can use to better understand a software manufacturer’s approach to cybersecurity and ensure that the manufacturer makes secure by design a core consideration. 'Although enterprise security is important, customers also need to focus on how a manufacturer approaches product security'. YES - THIS IS CORE TO MY RESEARCH! https://lnkd.in/gnACgrRx

OTA updating of embedded software plays a critical role in connected product security by design. Secure and robust OTA and offline updating provides automated and managed workflows for embedded software deployments to IoT-connected devices at scale. CISA's Secure by Demand guide is well worth reading: Secure by design products are those in which software manufacturers—the companies that create, ship, and maintain software—make security a core consideration from the earliest stages of the product development lifecycle. Ensuring that the products they use and procure are secure by design is essential for organizations to be resilient against ransomware and other forms of malicious cyber activity. Software manufacturers strive to deliver the features customers request, so it is crucial that customers explicitly demand security as part of the procurement process. https://lnkd.in/gdKgK6zA #OTAupdates

🔸 The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Secure by Demand Guide to help organizations better evaluate software manufacturers' security practices. 🔸 The guide emphasizes the importance of prioritizing product security during software procurement, rather than just focusing on enterprise security measures. 🔸 It provides questions to ask and considerations for integrating security into various stages of the procurement process, from pre-purchase inquiries to post-purchase assessments. 🔸 The guide also advocates for the "secure by design" philosophy, urging manufacturers to prioritize security from the beginning of product development, including eliminating default passwords, supporting multifactor authentication, evidencing, and addressing vulnerabilities. #fci #cybersecurity #cisa #securebydemand #guide #cyberdefense #cyberrisks #riskmanagement #vendormanagement #cybersafe #softwaremanagement #infosec #networksecurity #mfa #vulnerabilities https://lnkd.in/e9RBEMAy

A few months ago, NIST released a Fact Sheet as part of their "Secure by Design" program. The Fact Sheet addresses a lot of important points companies should demand from their software vendors, when it come to have more access to security best practices. The emphasis on having phishing resistant authentication factors available at no extra cost really drives the point of "Secure by Design". In my view, the most important demand is for vendors to " 🛂 support integrating standards-based single sign-on (SSO) for customers at no additional cost 🛂 ". Being able to integrate business-critical applications into SSO, without having to buy a higher tier than needed is a big step, especially for smaller organisations, out of the ⚠️ security poverty line ⚠️. Many SaaS vendors still require customers to purchase a higher-tier of their product to benefit from SSO. The "SSO Wall of Shame" (sso.tax) is a great resource to learn about this behaviour. #demandsecuritybydesign

Business Executive Challenge: Read the following article (yes all of it) from the US Cybersecurity & Infrastructure Security Agency (CISA) and try to answer the questions it poses. https://lnkd.in/g_rvEHPz For most non-technical decision makers, I think you will find that many of you never thought to ask questions such as these to your software vendors BEFORE you made your software purchases. https://lnkd.in/gMu96fdp #software #security #business #privacy #dataprotection

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released the third edition of its Framing Software Component Transparency (2024) document. This edition provides enhanced definitions and clarifications of SBOM Attributes, building on the 2021 version. It includes detailed descriptions of the minimum standards, recommended practices, and aspirational goals for each attribute. The work reflected in the document is a product of extensive discussion in the #SBOM Tooling and Implementation Working Group, a CISA community-driven workstream, and feedback from across the software community. Titled ‘Framing Software Component Transparency,’ the latest CISA document identifies that the software supply chain has historically not been required to provide transparency into the composition of software systems. “This lack of visibility has contributed to #cybersecurity and #SupplyChain risks and increases the costs of software development, procurement, operations, and maintenance. In our increasingly interconnected world, risk, and cost impact not only individuals and organizations but also collective goods (e.g., public safety and national security).” https://lnkd.in/gBcruwma

CISA released a Secure by Demand Guide August 6. This cements the shift from Secure by Design to Secure by Demand. It provides a series of questions to ask before, during, and after procurement of a product. This guidance appears very similar to the International Guidance on Choosing Secure and Verifiable Technologies document published by the Australian Government recently (https://lnkd.in/gCfU5bBA). Below are the questions from the guidance, followed by my opinions and concerns: General - Has the manufacturer signed the CISA Secure By Design pledge? - How easy is it to obtain and apply security patches? Authentication - Does the manufacturer support SSO at no extra cost? - Does the manufacturer support MFA by default at no extra cost? - Has the manufacturer eliminated default passwords? Eliminating Classes of Vulnerabilities - What classes of vulnerability has the manufacturer systematically addressed in their products? - For those not yet eliminated, does a roadmap to do so exist? Evidence of Intrusions - Are 6+ months of security logs available to customers in the baseline version of the product? Supply Chain Security - Does the manufacturer maintain and share provenance of third party code components? - Does the manufacturer have a process to maintain and contribute to OSS projects? - Is an SBOM available? - How does the manufacturer vet OSS components? Vulnerability Disclosure / Reporting - Is the manufacturer timely and transparent with respect to reporting and addressing vulnerabilities for both cloud and on-prem products? - Does the manufacturer use CWE and CPE fields in CVE records? - Does the manufacturer have a vulnerability disclosure policy that authorizes the public to responsibly test their product? Positives from me: 1. Having an expectation for agency asks is good for vendors. They can expect these asks and align to them. 2. It pushes on the top issues today: MFA, memory safety, SBOM, and OSS are all things we've been talking about anyway. 3. This puts weight behind the best practices. What good is guidance without a means to drive implementation? Now we see pressure to comply. My concerns? 1. Some features have a cost that the list may not consider. Are some features expected to be in baseline versions of products that have a higher cost to maintain for vendors than agencies realize? 2. Pushing these changes on vendors doesn't mean it's going to make things easier near term. I believe it may snarl purchase programs and complicate purchases and renewals for some. 3. Some of these things are more established asks than others. I feel like some, like OSS and SBOM have been around for a long time, but vulnerability disclosure and reporting is a newer structure (CIRCIA, etc) and could be far more complicated. Read the doc here: https://lnkd.in/gDdHQZ64 #cisa #securebydemand #securebydesign #oss #sbom #msl

How easy is it for a software consumer to check a software product for vulnerabilities at any moment in time? Answer: it's trivial if a software supplier is providing an online, up to date Vulnerability Advisory Report (VAR) following National Institute of Standards and Technology (NIST) Guidance; a/k/a Vulnerability Disclosure Report (VDR) "Ensure that third-party suppliers continuously enrich SBOM data with a VAR." https://lnkd.in/gPDbwhiX An example NIST VDR (now called VAR in NIST SP 800-161r1-upd1) indicates the presence of exploitable vulnerabilities, or not, in a single Y/N flag is available here using the CISASAGReader app as an example: "UnresolvedVulnerabilities": "N", https://lnkd.in/eP2hm56j Cybersecurity and Infrastructure Security Agency National Institute of Standards and Technology (NIST) Companies can cycle through hundreds of software products checking for known exploited vulnerabilities in minutes when software suppliers provide access to a NIST Vulnerability Advisory Report (VAR) along with an SBOM, following NIST Guidance. A pilot project demonstrating these capabilities has been submitted by Business Cyber Guardian (TM) to EPRI for consideration

You might be surprised at what's lurking in your software. Dive into Fortifying the Software Supply Chain Security (SSCS) and arm yourself with actionable strategies to boost security! Learn more: https://hubs.la/Q02CtymR0 #SoftwareSecurity #CyberThreats #Futurex