How the Secure by Design initiative can change cybersecurity strategies

From continuous diagnostics and mitigation to Zero Trust to Secure by Design, the federal government’s approach to cybersecurity is constantly evolving as we learn more about the threats.

Understanding that threats can enter from any point in the software supply chain, a Secure by Design approach is now the standard for federal agencies—and any organization that touches their software.

The Cybersecurity and Infrastructure Security Agency introduced its Secure by Design Initiative in April 2023. This initiative focuses on taking ownership of customer security outcomes, embracing transparency, and building organizational leadership.

CISA has been active in the year since, providing agencies with a wide range of guidance from a second iteration of the Secure by Design document to the Secure Software Development Attestation Form published with the Office of Management and Budget.

As agencies prioritize becoming Secure by Design, steps include utilizing effective DevSecOps practices, maintaining a software bill of materials (SBOM), and incorporating AI to defend against threats entering from any point in the software development lifecycle.

Adopting DevSecOps Practices

One of the first steps to support a Secure by Design posture is a secure software development process. This means developing, building, securing, and deploying software using a comprehensive DevSecOps approach.

Today, many developers utilize complex toolsets to create new programs. A recent survey by GitLab found that 19% of U.S. public sector respondents use 11+ tools for development - an inefficiency that increases risk by introducing potential vulnerabilities.

Developers should be able to access all the tools necessary for DevSecOps workflows in a single, easy-to-use interface. Without this mindset, a Secure by Design approach cannot become a reality without increasing the burden on developers.

Creating and Maintaining SBOMs

Embracing transparency is another significant part of being Secure by Design. Agencies must understand what’s in their software, especially when it may include components from multiple sources.

Software bills of materials are essential tools for achieving this transparency. They offer detailed inventories of software components, including version, license, and dependency details, that enable greater awareness of potential vulnerabilities.

Maintaining this inventory allows agencies to fully understand potential vulnerabilities and risks that could arise when elements are lifted from open-source repositories and licensed third-party components. A DevSecOps platform can help automatically generate and update SBOMs and integrate them into existing workflows, where they can also be linked to associated vulnerabilities.

While many agencies are now using SBOMs, they must be dynamic, connected with security scanning tools, and continuously updated to be fully effective. When integrated with scanning tools and dashboards, SBOMs can provide a way to identify the risks associated with an application. Even when not required, SBOMs can support compliance with security regulations by validating that code is secure.

Using AI in Software Development

As federal agencies explore ways to utilize AI, software development workflows provide a valuable entry point to the technology, which has the potential to accelerate development processes and enhance security.

The public sector is already beginning to explore these applications—35% of U.S. public sector respondents in GitLab’s report said they are already using AI in the software development lifecycle.

Applying AI across the full software development lifecycle can help agencies avoid AI-driven silos and backlogs within development workflows. AI can perform key functions such as:

• Uncommented code explanation and legacy code refactoring into memory-safe languages.
• Root cause analysis for DevSecOps pipelines, expediting solutions for difficult problems during testing.
• Vulnerability resolution to help reconcile known vulnerabilities, supporting more thorough remediation.

The Biden administration is working with software developers to create frameworks to legally incentivize the private sector to produce and release Secure by Design software. The current approach enforces security in software design from its creation.

With security built into software development from the start, transparency through effective SBOMs, and AI enhancing the development process, everyone involved in the software development lifecycle will be positioned for success.

Joel Krooswyk is the federal chief technology officer at GitLab.