Software Engineering Institute

April 17, 2025—Software enables our way of life, but market forces have sidelined security concerns, leaving software vulnerable to attack. Fixing this problem will require the software industry to develop an initial standard for creating software that is secure by design. These are the findings of a recently released white paper coauthored by Greg Touhill, director of the Software Engineering Institute (SEI) CERT Division, which researches cybersecurity for national defense.

“Despite decades of advancements in technology, our software systems remain shockingly vulnerable,” wrote Touhill and the other members of AFCEA International’s Cyber Committee in the paper Secure by Design—Next Steps. The paper argues that business incentives favoring functionality and speed to market have caused software development organizations to push product security concerns to the end of the development cycle and beyond. Out of the box, software has vulnerabilities that require continual patching, third-party tools, and consumer-configured security settings to mitigate. Overlapping but inconsistent guidance on security, from government and industry groups, has complicated software regulation and compliance.

Touhill said research by the SEI CERT Division supports these findings. “We find that many software development organizations prioritize product attributes such as functionality, time to market, and pre-planned product improvements. Baking security into the original design often is subordinated as a lower priority requirement, resulting in software delivered with numerous vulnerabilities. This situation fuels a complex and expensive risk management ecosystem highlighted by costly and frequent patching, additional software testing, and integration challenges driven by a changing codebase.”

These sentiments echo the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design initiative, announced in 2023. The SEI has been promoting the same shift-left approach to securing software for national defense since developing secure coding standards in the mid-2000s. Since then, it has developed and fostered other techniques for securing software for both the warfighter and the broader community, including by hosting the annual Secure Software by Design event.

The paper’s authors wrote that to make software systems secure and robust, the community must improve “the fundamental process of developing software.” Some software development organizations do this well, by tying business success to software reliability, mitigating external dependencies, and other methods. However, the paper claims that the overall software industry lacks certain elements it needs in order to incorporate security into software development: discrete measures of cybersecurity, prioritization of the many software development best practices, and governance-driven market incentives to change.

The paper provides four recommendations for making software secure by design:

1. Establish an initial prioritized and measurable standard, led by industry, for software development principles and processes.
2. Motivate adoption of the initial standard by requiring vendors and customers to demonstrate its successful implementation.
3. Require demonstrated proof of having met the standard.
4. Provide standard-adopting organizations safe harbor indemnity against lawsuits.

“If ‘data is the new oil,’ I contend that software is the engine,” said Touhill, commenting on the paper. “Creating software by using secure by design principles ensures that the system is optimized to deliver effective, efficient, and secure outcomes. That, in turn, reduces risk and delivers best value.”

Touhill went on to say that the SEI’s evidence-based research and development activities continue to identify software development best practices that benefit national security missions and fortify national economic strength and competitiveness. “Software developers who have yet to embrace secure by design principles do not have to look far for help,” he said. “They can move quickly by following the decades of pioneering SEI work on making software secure by design.”

Access the white paper Secure by Design—Next Steps on the AFCEA International website. AFCEA International is an association for government, industry, and academic professionals in information technology.

Learn more about the SEI’s Secure Software by Design event on its home page. Hear more from Touhill on secure by design approaches in the SEI Blog and SEI Podcasts. Discover the SEI’s research on Agile methods, cybersecurity engineering, continuous deployment of capability, and secure development on our website, www.sei.cmu.edu.