Les Bell
Blog entry by Les Bell
In light of a spate of successful attacks exploiting vulnerabilities in web management interfaces, the US Cybersecurity & Infrastructure Security Agency has issued a "Secure by Design" alert to urge software vendors to adopt two fundamental principles in the design and development of their products:
- Take Ownership of Customer Security Outcomes
- Embrace Radical Transparency and Accountability
The first principle requires vendors to invest in key security areas such as application hardening, application features and default configuration settings. For the latter, especially, the alert recommends enforcing best practices - for example, if best practice requires shielding a system from the public internet, then the default configuration should:
- disable the product's web interface by default and provide a "loosening guide" that itemizes - in both technical and non-technical language - the risks that come with overriding the default
- configure the product so that it does not operate while in a vulnerable state, such as when directly exposed on a public IP address
- warn the administrator that overriding the default behaviour may introduce signficant risk to the organization
The alert also suggests conducting field tests to understand how customers actually deploy products in their unique environments, in order to prevent unrealistic expectations of customers' skills and abilities on the part of the developers. And, of course, developers should consistently enforce authentication throughout the product, especially on highly trusted interfaces such as administrator portals.
The second principle requires vendors to lead with transparency when disclosing product vulnerabilities, and to perform thorough investigation of vulnerabilities to correctly document CVE entries and share what they learn across industry.
CISA, Secure by Design Alert: How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity, Secure by Design Alert, 29 November 2023. Available online at https://www.cisa.gov/resources-tools/resources/secure-design-alert-how-software-manufacturers-can-shield-web-management-interfaces-malicious-cyber.
Upcoming Courses
- SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
- SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
About this Blog
I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.
These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.