Secure by design

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and allied cyber authorities issued a joint advisory on 13 April 2023 calling on software manufacturers to operationalize security-by-design and security-by-default principles. The document stresses that vendors—not end users—needs to bear primary responsibility for patching known weaknesses, shipping secure configurations, and investing in memory-safe development practices. Executives should treat the advisory as a de facto baseline for procurement, federal contracting, and critical infrastructure partnerships. CISA then launched a voluntary Secure by Design pledge requiring signatories to publish memory safety, default security, and vulnerability disclosure milestones, giving customers a lever to demand measurable progress.

Officials highlight that ransomware crews and nation-state operators continue to weaponise vendor design flaws, making sustainable zero trust programs impossible unless suppliers eliminate entire classes of vulnerability at the source.

What the principles require

The guidance centers on three strategic pillars:

• Ownership of customer security outcomes. Vendors must architect products so that exploitation requires significant effort, even when customers lag on hardening. This includes eliminating default passwords, isolating tenants by design, and providing rapid security updates.
• Radical transparency and accountability. Suppliers will issue candid security advisories, publish support lifecycles, and share exploit intelligence without threatening legal retaliation against researchers.
• organizational leadership. Boards and C-suites must fund security features as core product requirements, incentivise engineering teams to prioritize resilience, and measure progress with customer-focused metrics.

International partners—including the UK’s NCSC, Australia’s ACSC, and Canada’s CCCS—endorsed the principles, signaling that global regulators will evaluate vendor behavior against the same standard.

Implementation blueprint

Product teams should break the advisory into actionable workstreams:

• Architecture and design. Introduce threat modeling checkpoints at each stage of the product lifecycle, covering misuse cases, abuse economics, and supply-chain dependencies. Document security assumptions and build guardrails that fail safe when conditions are violated.
• Development and testing. Expand automated testing beyond functional coverage to include fuzzing, static analysis, and dependency checks. Track test debt as rigorously as feature debt and ensure security regressions block releases.

The advisory emphasizes structured education programs—secure coding curricula, memory-safety bootcamps, and red-team exercises—to ensure every role understands its contribution to secure-by-design outcomes. Embed these requirements into onboarding and annual certification cycles and track completion alongside other compliance training.

• Secure-by-default configurations. Ship products with strongest controls activated—MFA, least-privilege roles, encrypted communications, secure logging, and telemetry streaming to customer SIEMs. Provide configuration profiles for different risk tiers rather than expecting customers to craft policies from scratch.
• Update delivery. Engineer zero-downtime update pipelines and cryptographically signed packages so emergency patches can be deployed within hours of discovery. Offer APIs and orchestration playbooks so customers can automate rollouts.
• Transparency portals. Maintain living SBOMs, product roadmaps, and vulnerability advisories accessible without NDAs. Reference CISA’s Known Exploited Vulnerabilities catalog and issue machine-readable notices that customers can ingest into asset management platforms.

Governance, incentives, and culture

Leaders should embed secure-by-design metrics into corporate governance. set up a security steering committee chaired by the CTO or CPO with quarterly reporting to the board on:

• Percentage of development budget earmarked for security features and technical debt remediation.
• Time to remediate critical vulnerabilities, especially those listed in the KEV catalog.
• Adoption rate of memory-safe languages for new services, along with coverage of exploit mitigation features (ASLR, CFI, stack canaries) for legacy components.
• Customer satisfaction scores tied to security support and transparency.

Align incentive structures so product managers are rewarded for reducing customer exposure time, not just shipping new functionality. Security training should extend beyond engineers to UX designers, sales engineers, and legal teams so they can articulate secure-by-default value propositions.

Sector-specific guidance

• SaaS and cloud providers. Implement tenant-isolation testing, default encryption for data at rest and in transit, and automated provisioning of least-privilege roles. Provide configuration drift detection and well-documented APIs for security integration.
• Operational technology (OT) vendors. prioritize secure boot, authenticated firmware updates, and network segmentation guidance. Supply digital twins or lab kits so customers can validate patches before deploying to plant environments.
• Device manufacturers. Remove unnecessary services, ship with automatic update mechanisms, and embed tamper detection to protect physical assets in the field.
• System integrators and MSPs. Incorporate secure-by-design expectations into supplier contracts and monitor subcontractors for adherence, especially when reselling software into critical infrastructure sectors.

Measuring impact and maintaining momentum

Teams should stand up dashboards and public scorecards that track:

• Secure configuration adoption. Percentage of customer deployments using vendor-provided secure baselines versus custom, potentially weaker configurations.
• Memory safety progress. Reduction in reported memory-corruption flaws and increase in code coverage for fuzz testing.
• Patch uptake. Average days between patch release and deployment across the installed base, segmented by product line.
• Transparency engagements. Number of coordinated vulnerability disclosures, bug bounty submissions resolved, and customer briefings delivered after high-profile incidents.

Pair quantitative measures with independent attestations—SOC 2, ISO/IEC 27001, FedRAMP, or state-level procurement audits—to provide external validation of secure-by-design claims.

Share progress with regulators and major customers through regular briefings or transparency reports to reinforce that secure-by-design workstreams are sustained commitments rather than one-off campaigns.

The guidance further encourages formal vulnerability disclosure and bug bounty programs with safe-harbor language so researchers can report flaws without legal risk, amplifying the vendor’s ability to detect issues before adversaries.

Strategic Implications and Business Considerations

Organizations should evaluate the strategic implications of this development within the context of their broader business objectives and competitive positioning. Early adoption and effective implementation can provide competitive advantages through enhanced customer trust, operational efficiency, and regulatory relationships. Conversely, delayed or inadequate responses may result in regulatory penalties, reputational damage, and competitive disadvantages. Strategic planning should balance compliance obligations with business opportunities created by regulatory changes.

Recommended approaches

Successful implementation requires careful planning, adequate resources, and sustained organizational commitment. Organizations should establish clear governance structures with defined roles, responsibilities, and accountability. Project management disciplines help ensure timely completion of implementation activities while managing risks and resource constraints. Regular progress monitoring and reporting enable management oversight and early identification of issues requiring intervention. Lessons learned from implementation experiences should inform continuous improvement of compliance capabilities.

Similar analysis

Additional analysis covering similar themes.

Cybersecurity · Credibility 90/100 · March 7, 2024

Secure by Design

CISA launched its Secure by Design Pledge, asking software manufacturers to commit to MFA defaults, reducing vulnerability classes, and security patch transparency. It is voluntary, but names are published.

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Cybersecurity · Credibility 89/100 · November 14, 2023

CISA and Global Partners Press for Memory-Safe Roadmaps — November 14, 2023

Nineteen international agencies urged technology manufacturers to publish transition plans away from memory-unsafe languages and legacy code.

Cybersecurity · Credibility 93/100 · March 12, 2024

European Parliament Adopts Cyber Resilience Act — March 12, 2024

The EU Parliament approved the Cyber Resilience Act in March 2024. Connected products need secure-by-design development, vulnerability disclosure processes, and CE marking. If you sell IoT in Europe, this is your…

Cybersecurity · Credibility 91/100 · April 17, 2024

Global Partners Issue Secure AI Implementation Guidance — April 17, 2024

UK NCSC, CISA, and 18 allied agencies published setup guidance to operationalize secure-by-design controls for AI systems.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Complete Beginner Cybersecurity Guide for Home Users

  A practical cybersecurity guide designed for non-technical home users. Covers threat awareness, home network security, password management, multi-factor authentication, device…

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

Further reading

1. International partners issue guidance to promote security-by-design and -default — Cybersecurity and Infrastructure Security Agency
2. Secure by Design, Secure by Default — CISA, FBI, NSA, ACSC, CCCS, ENISA, and partners
3. CISA calls on software manufacturers to produce secure-by-design products — Cybersecurity and Infrastructure Security Agency
4. International partners warn software manufacturers on security-by-design — UK National Cyber Security Center
5. Known Exploited Vulnerabilities catalog — Cybersecurity and Infrastructure Security Agency
6. OT cybersecurity assessment tools — Cybersecurity and Infrastructure Security Agency
7. Secure by Design pledge launch — Cybersecurity and Infrastructure Security Agency
8. Secure by Design pledge fact sheet — Cybersecurity and Infrastructure Security Agency