Secure by Design at CERT
A troubling development in the cyber realm is society’s acceptance of the expectation that all software is released with defects that must be dealt with through patches, most of which follow exploitation of weaknesses in the software by nefarious actors. In a recent address to the nation from Carnegie Mellon University, Jen Easterly, director of the Cybersecurity Infrastructure Security Agency (CISA), noted that this “normalization of deviance” has meant that we are accepting software products that fail to approach our own standards for safety. In her address, Easterly cited work by Diane Vaughan, who wrote about the 1986 Challenger disaster and the decisions leading up to it. Vaughan’s book characterized an environment in which people become so accustomed to a deviant behavior that they don't consider it as deviant. Unfortunately, as Easterly noted, we have become inured to ransomware and cyber attacks, so she called upon technology and software producers to shift left and incorporate security earlier in the development lifecycle to ensure that robust security is a feature of every product that the public, military, and government uses.
Within days of Easterly’s speech, the White House released the national cybersecurity strategy, which, among other things, calls for more expansive regulation to shift responsibility for secure software products and services onto technology manufacturers who have traditionally relied on users to configure security into their products. This notion of secure by design has been a long-standing tenet of all the work that we undertake at the SEI and, in particular, our CERT Division, which specializes in cybersecurity engineering and resilience research and development. In this post, I will highlight our continued and longstanding efforts to ensure security by design in fielded software.
A Changing Cyber Landscape
Since its creation in 1988 in response to the Morris Worm, the SEI’s CERT Division has emphasized the importance of security and resilience in all software. In the wake of the threat from the Morris worm, the SEI’s CERT Division became the hub for coordinating global efforts to prepare for and respond to threats as they arose. Over time, the CERT Division used the experience and expertise it gained from this work to become more proactive and to develop best practices in software development to introduce security that could prevent such events. Early work in this area includes the globally accepted Capability Maturity Model.
More recently, the CERT Division developed secure coding practices that are now widely applied in industry, and we’ve also developed the CERT Resilience Management Model, which helps organizations define the essential organizational practices that are necessary to manage operational resilience. Today, the CERT Division continues to coordinate efforts throughout the cyber community to address security concerns early and throughout the development cycle, before they can cause widespread harm and while the cost of finding and fixing vulnerabilities is less than if they were discovered after products go to market.
The CERT Division has also become an authority in advancing the adoption and implementation of the zero trust security strategy, another key tenet of the national cybersecurity strategy. We’ve been exercising zero trust in the physical security domain for generations by only permitting personnel access to facilities based on their authorizations, identity verification, and need-to-know. Now, enabled by software-defined capabilities, the cyber community is embracing the zero trust strategy and applying it to the digital world.
The zero trust security strategy relies on the disciplined approach that removes implied trust and requires organizational leaders to explicitly authenticate and authorize subjects, assets, and workflows. Recognizing that zero trust is the starting point on the path to digital trust, we continue to bring together experts in government and industry to identify best practices for implementing the zero trust strategy, creating zero trust architectures, and furthering zero trust areas of research. In the long term, we are working to test our zero trust recommendations to provide the DoD and other organizations evidence-based guidance that has been proven to be effective in the real world.
During her speech, Director Easterly called for greater transparency among tech manufacturers with respect to the safety of their products and legal protections to “security researchers who report vulnerabilities, letting those researchers talk publicly about their findings, and taking care to address root causes of those vulnerabilities.” In keeping with these ideas, CERT provides ongoing coordination of vulnerability disclosure, researchers in the CERT Division published, and continue to update, The CERT Guide to Coordinated Vulnerability Disclosure.
Our researchers have also released tools to help communicate and mitigate vulnerabilities, especially in situations where such mitigation can be challenging. One example of this work is Vultron, an innovative tool that helps coordinate efforts among multiple vendors to disclose vulnerabilities. Coordination is one of the challenges that slows the disclosure process, and our researchers are leading efforts to address the realities of today’s cyber realm to overcome these challenges.
Our technical agenda supports a number of CISA initiatives to ensure that technology manufacturers are committed to developing products that are secure by default out of the box and that are built with the human operator in mind. We cannot afford continued reliance on products that require already skilled personnel many months or years of training to master the product’s installation, configuration, and operation. Such a model is unacceptable and not sustainable.
As the cyber landscape continues to evolve, so has the CERT Division’s technical strategy. Today’s software systems feature extensive reuse of code, a practice that makes it faster, less expensive, and easier to field products. Too often, however, the supply chain that supplies this reused code is not secure and developers inherit unknown vulnerabilities. To make matters worse, the supply chain, as well as all of the software that organizations rely on to do daily business, are the result of a vast, interconnected network of systems of systems, which has expanded the risk and attack surface considerably. With our national security and our economy reliant on these highly complex systems, cybersecurity can no longer be an afterthought that developers bolt on at the end.
The need for provisioning cybersecurity capabilities is magnified in importance by the rapid advances in artificial intelligence and machine learning (AI/ML) capabilities. Generative AI tools, such as ChatGPT, have considerably broadened the attack surface, with issues ranging from the safety and relevance of training data, to issues with outdated models, and the threats posed by adversarial AI. As AI becomes more prominent, organizations need to make the security of these systems integral to their development and maintenance.
Given these conditions, secure by design and secure by default have become more critical than ever. Director Easterly’s speech served to confirm the four cornerstones of our strategy that we developed to guide all work at the CERT Division:
- Advance cyber by design—Our researchers work to develop and transition evidenced-based solutions that address foundational enduring challenges to the operational resilience of platforms, systems, and organizations.
- Enhance cyber resilience—In today’s operational climate, it’s not a matter of if a system will be attacked but when. When tech manufacturers incorporate security best practices, such as DevSecOps, into their workflows, the resulting products provide organizations and government agencies the resilience to withstand a cyber attack and continue operations.
- Move the market— During our research, we demonstrate where products, technologies, and processes are failing and identify weaknesses. More importantly, we work to identify solutions. By sharing our research, we help move the market to create products and capabilities that are secure by design and secure by default.
- Shaping the future—For over 35 years the CERT Division has created new capabilities that have positively changed the cyber environment and shaped a better future in the digital world. We remain committed to research and developing new capabilities that promote the creation of software and software-intensive systems that are more effective, efficient, and secure. Partnering with national security, academia, and industry, we shape the future of a digital ecosystem where information technology is secure out of the box and provides capabilities that liberate America’s workforce and unleash the potential of our national security and national economy.
Current Secure by Design Research Efforts at CERT
Whether for traditional systems or those with AI components, researchers in the CERT Division work to develop practices that increase the trustworthiness and assurance of systems used by the federal government, businesses, and everyday citizens. By analyzing our capabilities, as well as those of our adversaries, we continually improve cybersecurity practices, such as developing secure coding and automated code repair to guide the secure engineering of platforms across the lifecycle. Other focus areas include creating system architectures, technologies, and practices that, when applied, improve safety and security for cyber-physical systems, zero-trust architectures, and highly resistant and survivable weapon systems. To verify the intended properties and to identify vulnerabilities, we focus on scalable test regimes that can be integrated into continuous integration (CI) and continuous delivery (CD) software factories.
Collectively, these practices also enable certification and accreditation processes (e.g.,
continuous authority to operate and flightworthiness) so that we can field new capabilities more quickly and make the latest technologies available to warfighters in the Department of Defense.
Our work at CERT includes activities in
- ensuring a high level of software assurance
- promoting the rapid discovery and mitigation of software vulnerabilities
- integrating trustworthiness into AI and machine learning capabilities
- countering adversarial AI tactics, techniques, and procedures (TTPs)
In the remainder of this post, I highlight a handful of efforts underway at the CERT Division to ensure secure by design and secure by default; these include the following:
- Advocating for continuous integration and continuous delivery software factories— Developed and fielded software needs to be continually improved upon to keep pace with our adversaries and maintain our competitive advantage. Addressing recommendations put forth by the Defense Science Board, our efforts in this area build upon the related concepts of continuous delivery and continuous integration to ensure that if a system has been fielded that is not secure, it can be updated as quickly as possible. This ensures that our warfighters are always equipped with the most updated and secure capabilities.
- Advancing DevSecOps—DevSecOps uses a shift left approach that incorporates a variety of security capabilities (e.g., static code analysis scans and dynamic code analysis) within the DevSecOps automated CI and CD pipelines. This approach is the preferred means of developing software and delivering secure resilient code. Most recently, CERT researchers have taken DevSecOps into the reality of the marketplace, with the Platform Independent Model for DevSecOps. Version 1 came out in May 2022 and was updated in November 2022 based on feedback we got from the marketplace.
- Promoting memory-safe languages—During her speech at CMU, Director Easterly noted that two-thirds of known software vulnerabilities are a class of weakness referred to as memory safety vulnerabilities. We refer to traditional programming languages, such as C and C++, as memory unsafe, because they are unable to protect from various software vulnerabilities when dealing with memory access. By adopting memory-safe languages, such as Rust, Go, Python, and Java, we can significantly reduce the number of vulnerabilities exploited by hackers, such as buffer overflows. At the CERT Division, our researchers recently explored security issues related to Rust, including its limitations, such as the types of secure-coding errors that can occur in Rust code. A related effort examined tools for understanding vulnerabilities in the Rust programming language as well as the maturity of the Rust software ecosystem as a whole. Our research in this area continues.
- Securing the supply chain—The supply chain breach of SolarWinds devastated government entities and private organizations. In addition to financial losses of more than $90 million, new reports cite compromises as a result of the SolarWinds attack at 250 government agencies, including the U.S. Treasury Department, the State Department, and nuclear research labs. To secure the supply chain, researchers in the CERT Division recently developed the Acquisition Security Framework (ASF) to help organizations identify the critical touchpoints needed for effective supply chain risk management. The framework details a set of practices needed for proactive management of supply chain cyber risk.
- Building the secure by design community—One important aspect of our work within the CERT Division and the broader SEI is bringing together communities of practitioners from across the globe to foster collaboration and outline areas of future research. We recently hosted Secure Software by Design, a two-day event focused on helping practitioners make security an integral aspect of the entire software lifecycle as a result of deliberate, intentional, engineering processes rather than addressing security in individual stages as one-off activities.
Building Secure by Design in Future Systems
As we look to the future, it is increasingly clear that securing the cyber domain will continue to be of vital importance not only for government and industry but for every citizen. In guiding future research in the SEI’s CERT Division, our focus remains on helping the United States maintain its competitive advantage in the cyber realm by leveraging cutting-edge research and AI to ensure that the cybersecurity systems and tools we produce are properly engineered for ever-evolving threats and are engineered to be to secure by design and secure by default.
Listen to the SEI Podcast Secure by Design, Secure by Default with Greg Touhill.