WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released the “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem,” which helps organizations buying software better understand their software manufacturers approach to cybersecurity and ensure that secure by design is one of their core considerations.
An organization’s acquisition staff often has a general understanding of the core cybersecurity requirements for a particular technology acquisition. However, they frequently don’t assess whether a given supplier has practices and policies in place to ensure that security is a core consideration from the earliest stages of the product development lifecycle.
This guide provides organizations with questions to ask when buying software, considerations to integrate product security into various stages of the procurement lifecycle, and resources to assess product security maturity in line with secure by design principles. Informed by the threat landscape, it provides categorized sets of actions that, if done correctly will demonstrate to the customer that the software manufacturer is taking actions that will drive down exploitable defects and misconfigurations – a safer product for the customer.