← Back to all briefings

Cybersecurity · Credibility 100/100 · · 7 min read

Cybersecurity Briefing — April 13, 2023

CISA, the FBI, NSA, and allied cyber authorities issued secure-by-design principles that require vendors to ship memory-safe code, default security controls, and mature vulnerability disclosure programs.

Executive briefing: On April 13, 2023 the Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and six allied national cyber authorities released Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default Software. The paper tells technology manufacturers to eliminate whole classes of defects, ship secure configurations as the default experience, and invest in coordinated vulnerability disclosure (CVD) programs so customers no longer bear the burden of insecure design decisions.

Key industry signals

  • Memory-unsafe languages are being phased out. Vendors are urged to accelerate migrations away from C/C++ for new development and prioritize memory-safe languages or mitigations in existing products.
  • Security must be free and enabled by default. Agencies expect multi-factor authentication, logging, and least-privilege features to ship turned on—without premium licensing requirements.
  • CVD maturity is table stakes. The guidance directs vendors to publish vulnerability disclosure policies, provide public keys, and issue acknowledgements within a published SLA.

Control alignment

  • NIST SP 800-218 (SSDF). Map secure software development tasks (PO.5, PW.7, RV.1) to the joint guide’s demand for defect elimination and threat modelling across the lifecycle.
  • Executive Order 14028 implementation. Use the memo’s default security expectations when evidencing EO 14028 Section 4 attestation packages and minimum element SBOM commitments.
  • Contractual obligations. Update procurement language and software supply chain questionnaires so vendors commit to the principles before onboarding.

Detection and response priorities

  • Instrument telemetry to verify security defaults remain enabled across fleets, triggering alerts when MFA, logging, or secure configurations are disabled.
  • Expand code scanning to identify memory-unsafe usage and track remediation progress against the secure-by-design roadmap.
  • Review vulnerability handling SLAs, ensuring triage, fix, and disclosure timelines align with the joint guidance and customer expectations.

Enablement moves

  • Brief product management on the requirement to sunset insecure-by-default SKUs and document compensating controls when immediate fixes are not possible.
  • Train support teams to route vulnerability intake through published CVD channels and supply researchers with encryption keys and timelines.
  • Update customer success playbooks with migration plans for legacy appliances lacking default-hardening features.

Zeph Tech analysis

  • Compliance crosswalks now include secure-by-design. Regulators will reference the joint memo when evaluating whether vendors met “reasonable security” expectations.
  • Vendor contracts are becoming enforceable levers. Enterprises can require adherence to the principles—and recover costs when defaults ship insecure.
  • Metrics matter. Defect density, memory-unsafe usage, and configuration drift must be quantified so CISOs can prove secure-by-default progress during board and regulator reviews.

Zeph Tech is partnering with vendors and buyers to benchmark defect elimination roadmaps against the secure-by-design principles and to build auditable CVD workflows.

  • CISA secure by design
  • Software security
  • Memory safety
  • Vulnerability disclosure
Back to curated briefings