Imagine buying a car that has faulty brakes, or a toaster that can catch fire at any moment. You would expect the manufacturer to be held accountable for selling you a defective product that can harm you or others. But what about software products that are riddled with vulnerabilities that can compromise your data, privacy, and security? Shouldn't software developers be responsible for ensuring the safety of their products, as well?
That's the question that Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), posed during her speech at Carnegie Mellon University earlier this week. Easterly urged software developers to be more proactive and accountable for building security into their products from the start, rather than relying on patching vulnerabilities after they are exploited by malicious threat actors in the wild.
[RELATED: What Are Security Guardrails? Why Do They Matter to Your AppSec Program?]
Easterly said in her speech:
"As we've integrated technology into nearly every facet of our lives, we've unwittingly come to accept as normal that such technology is dangerous-by-design.
This situation is not sustainable. We need a new model. A model in which we can place implicit trust in the safety and integrity of the technology products that we use every hour of every day, technology which underpins our most critical functions and services. A model in which responsibility for technology safety is shared based upon an organization's ability to bear the burden and where problems are fixed at the earliest possible stage—that is, when the technology is designed rather than when it is being used. A model that emphasizes collaboration as a prerequisite to self-preservation and a recognition that a cyber threat to one organization is a safety threat to all organizations."
Easterly praised Apple for its security practices, such as requiring multi-factor authentication (MFA) for its users and offering bug bounties for researchers who find vulnerabilities in its products. She also suggested that other companies like Microsoft and Twitter need to improve their MFA adoption rates and transparency.
She argued that cybersecurity is not just a technical issue but a universal one that involves all of us. She said that cybersecurity is essential for not only protecting data and networks, but also for protecting end-users and businesses against cyberattacks, improving confidence in products, reducing risks, and fostering innovation in the field.
Easterly highlighted the role of universities like Carnegie Mellon in training the next generation of cybersecurity talent. She said that CISA is committed to working with academia, industry, and government partners to build a more secure and resilient cyberspace. She went on to say in her speech:
"Achieving this outcome will require a significant shift in how technology is produced, including the code used to develop software, but ultimately, such a transition to secure-by-default and secure-by-design products will help both organizations and technology providers: it will mean less time fixing problems, more time focusing on innovation and growth, and importantly, it will make life much harder for our adversaries."
You can read her entire speech here.
What do you think of the comments made by Director Easterly? Let us know in the comments below.
Follow SecureWorld News for more stories related to cybersecurity.