..

Secure by Design

The catchphrase of the cyber security industry in recent years has been the three-word “Secure by Design”, which is where companies try to pretend they’re doing something new but aren’t.

As with all catchphrases, it can be wielded to mean anything that the wielder wants it to mean, rendering it saturated and useless. It can be added to the pile along with “Next-Gen”, “Single Pane of Glass”, and other shibboleths that marketing and sales can repeat ad infinitum.

In order to get me to take you as a vendor seriously, you have to show me your design. Just like any other feature of your platform, I can’t trust what you’re saying unless it’s verifiable.

What does verifiable Secure by Design look like?

Perhaps the problem can be solved by standards? But we tried this with ISO 27001 and now large companies fill up entire departments’ worth of people whose sole directive is to shout down any changes because they’re Not Compliant and Won’t Pass Audit. Not to mention most audits being a tickbox exercise which don’t prove any degree of security and you’ll still Get Hacked Anyway and Lose My Data because oopsie, you left a privileged account lying around that got overtaken by an attacker.

Maybe penetration tests for any security product become mandatory? Great way for some to make a killing. Again, the problem is that commissioning companies have all the control for scope, severity and report publishing rights - no pentest results ever need to make it out into the open.

If we can’t solve the trust problem with audits and pentests, what do we have left? I posit that in order to make Secure by Design a reality, and not just a stick that random bloggers can beat imaginary strawmen over the head with, both security vendors and national bodies (such as the NCSC) need to start publishing examples of what they mean. \

Show me how your software and hardware platforms are architected. You can still keep the copyright. I might not have the technical expertise to understand them, but we already have a healthy ecosystem of experts running personal blogs to loudly point out any issues. Yes, some companies may take a short term hit in the Court of Public Opinion if they get things wildly wrong, but in the long term this can only be healthy, with incentives to build rapport. Imagine a security industry where the most successful vendor is that which just has a sensible design, rather than whoever can spend the most money going to conferences and evangelising.