In 2023, CISA intensified its "Secure by Design, Secure by Default" campaign, pushing the software industry toward a fundamental shift: making software manufacturers responsible for the security of their products, rather than placing the burden on customers to configure and secure them.
The April 2023 publication of "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software" was followed by updated guidance and a growing list of vendor pledges throughout the year. By November, CISA's messaging was clear: the era of shipping insecure defaults and blaming customers for not hardening them should be over.
The Core Principles
CISA's Secure by Design framework rests on three principles:
1. Take Ownership of Customer Security Outcomes
Software manufacturers should take responsibility for the security of their customers, not just the security of their code. This means:
- Tracking and reducing the number of security incidents caused by the manufacturer's products
- Investing in security engineering proportional to the product's criticality
- Being transparent about security failures and their root causes
This is a radical shift from the traditional model where software licenses explicitly disclaim liability for security defects. CISA isn't proposing legal liability (yet), but it's setting expectations that will influence procurement decisions and regulatory frameworks.
2. Embrace Radical Transparency
Manufacturers should be transparent about their security practices, vulnerabilities, and incidents. Specific recommendations include:
- Publishing vulnerability disclosure policies and CVE information
- Providing SBOMs for products
- Disclosing security-relevant product architecture decisions
- Being honest about known limitations and security boundaries
3. Build Organizational Structure and Leadership
Security should be a top-level business priority, not a cost center. CISA recommends that manufacturers:
- Have executive-level accountability for product security
- Invest in security engineering talent
- Integrate security into product development processes, not bolt it on after
Secure by Default: The Details
The "Secure by Default" component is where the rubber meets the road. CISA's guidance specifies concrete expectations:
Eliminate default passwords. Products should not ship with default credentials. Period. This has been a known problem for decades, yet new products still ship with admin/admin.
MFA by default. Multi-factor authentication should be enabled out of the box for administrative accounts, not offered as an optional add-on.
Logging enabled by default. Security-relevant logging should be on by default and available at no additional cost. CISA specifically called out vendors that charge extra for security logging—a practice that was brutally exposed by the Microsoft Exchange breaches.
Harden by default. Products should ship with secure configurations. Unnecessary features, ports, and services should be disabled. If a feature introduces security risk, it should require explicit opt-in.
Automated security updates. Products should update themselves or make updating easy. The customer should not need to manually download and apply patches.
Why 2023 Was the Tipping Point
Several events in 2023 made CISA's message resonate:
The Microsoft Exchange/Outlook breaches. Chinese threat actors (Storm-0558) breached U.S. government email accounts through a stolen Microsoft signing key. The breach was discovered not by Microsoft but by a State Department analyst who happened to have premium logging—which most organizations couldn't afford. This directly supported CISA's argument that security logging shouldn't be a premium feature.
MOVEit Transfer (CVE-2023-34362). The mass exploitation of Progress Software's MOVEit Transfer application exposed hundreds of organizations. The vulnerability existed in a file transfer product that many organizations had deployed with default configurations.
Cisco IOS XE (CVE-2023-20198). Over 40,000 Cisco devices were compromised through a web UI that was enabled by default. CISA pointed to this as a case where secure defaults would have prevented mass exploitation.
Industry Response
The response from the software industry has been mixed:
Positive signals: Several major vendors signed CISA's Secure by Design pledge, committing to specific security improvements. Microsoft announced that security logging would be available to all license tiers. Google expanded default MFA requirements.
Resistance: Some vendors pushed back on the cost implications, arguing that hardened defaults would reduce product usability and increase support costs. Others noted that customers often demand insecure configurations for convenience.
Procurement leverage: Federal procurement requirements increasingly reference Secure by Design principles. OMB Memorandum M-22-18 requires software vendors selling to the federal government to attest to secure development practices, and CISA's guidance provides the framework for what "secure" means.
What This Means for Organizations
As a software buyer: Use CISA's Secure by Design principles as evaluation criteria. Ask vendors about default configurations, logging costs, MFA implementation, and SBOM availability. Prefer products that are secure out of the box.
As a software producer: Audit your products against CISA's guidance. Identify default configurations that put customers at risk. Invest in eliminating classes of vulnerabilities rather than playing whack-a-mole with individual bugs.
As a security team: Use CISA's framework to justify security investments. "CISA says secure logging should be free" is a powerful argument in budget discussions.
How Safeguard.sh Helps
Safeguard.sh aligns with CISA's Secure by Design principles by providing the transparency and visibility that both software producers and consumers need. For producers, our platform helps generate and maintain SBOMs, track vulnerability remediation, and demonstrate secure development practices. For consumers, Safeguard.sh evaluates the security posture of your software supply chain against frameworks like CISA's guidance, identifying products and dependencies that don't meet secure-by-default standards. Our compliance reporting maps your security posture to regulatory expectations, making audit preparation straightforward.