A group of industry experts have published a letter to the US Cybersecurity and Infrastructure Security Agency (CISA) in response to its recent secure by design guidance document.
The letter urges CISA to go further in integrating and advocating threat modeling in the document, which aims to help manufacturers prioritize cybersecurity practices while designing technology products.
The guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, was published jointly by CISA, the FBI, the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, the UK, Germany, Netherlands, and New Zealand in April 2023.
It provides specific technical recommendations as well as outlining core principles around security by design, aligning with aims set out in the Biden Administration’s National Cybersecurity Strategy, which was published in March 2023.
However, the group of industry experts, authors, presenters and academics argue that the guidance needs to include specific details on how to implement security-by-design through threat modeling.
Threat modeling is a structured process of identifying, quantifying and remediating security threats and vulnerabilities.
While the experts welcomed the guidance document’s reference to “a tailored threat model” as a component of the product deployment process, they noted that “organizations need to develop the capacity to threat model via training, support and help, tooling and other capability elements.”
Therefore, they urge for more specificity on how to implement security by design through threat modeling, including defining “radical transparency” in this context.
The authors added that they would like to see “clarification of the relationship between security guidance and radical transparency.” This includes defining how far along the supply chain is appropriate for transparency.
The seven-page letter also sets out a range of more specific improvement opportunities to provisions within the guidance.
Signatories to the letter include author and academic Adam Shostack, Alyssa Miller, CISO at Epiq Global, Stephen de Vries, CEO at IriusRisk and Kim Wuyts, researcher and creator of the LINDDUN privacy threat modeling methodology.
Shostack commented: “This new guidance is a big step forward for secure design. It is the first time that broad-based cybersecurity agencies have come together to develop joint principles and urge manufacturers to do more to ensure that the software and technology that they make is secure from the outset.
“However, we would like to see them go one step further by encouraging the widespread adoption of threat modeling in updated or future guidance. Effective threat modeling is a prerequisite for designing secure software and the best way to reduce and mitigate vulnerabilities.”