|
| 1 | +# CISA Secure by Design Cheat Sheet |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +CISA’s *Secure by Design* initiative defines seven principles that guide organizations toward building software with security as a core business requirement. |
| 6 | +This cheat sheet provides developers, architects, and security teams with practical, actionable steps to align with these principles. |
| 7 | + |
| 8 | +--- |
| 9 | + |
| 10 | +## 1. Take Ownership of Customer Security Outcomes |
| 11 | + |
| 12 | +- Ship products with **secure defaults** (e.g., MFA, encryption at rest & in transit). |
| 13 | +- Provide clear documentation of security features and configurations. |
| 14 | +- Deliver timely patches and updates; do not leave customers to defend themselves. |
| 15 | + |
| 16 | +--- |
| 17 | + |
| 18 | +## 2. Embrace Radical Transparency and Accountability |
| 19 | + |
| 20 | +- Publish **vulnerability advisories** openly with remediation timelines. |
| 21 | +- Share **SBOMs (Software Bill of Materials)** with customers. |
| 22 | +- Document secure configuration baselines. |
| 23 | + |
| 24 | +--- |
| 25 | + |
| 26 | +## 3. Lead with Security as a Business Priority |
| 27 | + |
| 28 | +- Make **security a core KPI**, not just a compliance checkbox. |
| 29 | +- Integrate **threat modeling and security reviews** early in the design process. |
| 30 | +- Ensure executive buy-in and accountability for security outcomes. |
| 31 | + |
| 32 | +--- |
| 33 | + |
| 34 | +## 4. Understand and Address Harm Across the Product Lifecycle |
| 35 | + |
| 36 | +- Identify and mitigate **misuse/abuse cases** during design. |
| 37 | +- Provide secure **end-of-life and deprecation policies**. |
| 38 | +- Consider the **human and societal impacts** of insecure defaults. |
| 39 | + |
| 40 | +--- |
| 41 | + |
| 42 | +## 5. Ensure Default Secure Configurations |
| 43 | + |
| 44 | +- Disable insecure or legacy options by default. |
| 45 | +- Enforce **least privilege** and **role-based access control**. |
| 46 | +- Ship products with **logging and monitoring enabled** out of the box. |
| 47 | + |
| 48 | +--- |
| 49 | + |
| 50 | +## 6. Implement Security Controls at Scale |
| 51 | + |
| 52 | +- Automate patching, vulnerability scanning, and CI/CD security checks. |
| 53 | +- Use vetted, secure coding frameworks and libraries. |
| 54 | +- Standardize secure configurations across environments. |
| 55 | + |
| 56 | +--- |
| 57 | + |
| 58 | +## 7. Prioritize Security Investments for Maximum Impact |
| 59 | + |
| 60 | +- Focus first on **exploitable, high-risk vulnerabilities**. |
| 61 | +- Invest in developer education and secure coding training. |
| 62 | +- Track and measure the ROI of security improvements. |
| 63 | + |
| 64 | +--- |
| 65 | + |
| 66 | +## References |
| 67 | + |
| 68 | +- [CISA Secure by Design Alert](https://www.cisa.gov/news-events/alerts/2023/04/13/shifting-balance-cybersecurity-risk-principles-secure-design) |
| 69 | +- [CISA Secure by Design PDF](https://www.cisa.gov/sites/default/files/2023-04/principles_secure_by_design_secure_by_default_508c.pdf) |
| 70 | +- [OWASP Secure Product Design Cheat Sheet](Secure_Product_Design_Cheat_Sheet.md) |
| 71 | + |
| 72 | +--- |
0 commit comments