Secure by Design Goes Beyond Software Development Best Practices

CISA’s Secure by Design, now in its second year, is beginning to pivot to a "Secure by Demand" terminology. Secure by Demand encourages software procurers to push for secure by demand attestations and to obtain proof of secure development practices to quantify the risk of procuring any given software product.

Some technology companies have been proactive in addressing Secure by Design. CISA’s Secure Software Development Attestation Form is available for software makers who are willing to state their conformance to the NIST Secure Software Development Framework (SSDF). The CISA Secure by Design Pledge is also available. Corsha is proud to announce submission of the self-attestation form as well as signing the pledge! 

When it comes to application security, Secure by Design is comprised of 3 main principles:

  1. Take ownership of customer security outcomes.

  2. Embrace radical transparency and accountability.

  3. Build organizational structure and leadership to achieve these goals.

Each principle is then composed of associated best practices. Many of these practices focus on software, roles, and auditable accountability. Attesting to these practices creates the core of accountability in the Secure by Design framework.

Zero trust is a key consideration within that framework, and its importance cannot be overstated when creating trustworthy artifacts, audit histories, and risk assessments. Multi-factor authentication (MFA) is specifically mentioned throughout the Secure by Design document. This typically references user login and role-based identity, but what about the layers that underpin that functionality? 

Machine level connectivity and non-human identity (NHI) are increasingly important to validate the environments, machines, and associated identities where secure by design development and IT activities are intersecting.

Consider a CI pipeline being run to ensure the security of an application. As the security validation jobs are run, is the executor running in a confirmed secure environment? Can a digital artifact attestation really be trusted? Could anyone malicious, if they obtained leaked credentials, have gained access to those environments? Trusted machine identities address this and many other similar concerns, which is why Corsha has developed relevant solutions.

Corsha ensures that only trusted machines have access to operational technology (OT) equipment.  Corsha’s zero trust focus offers discovery, monitoring, and auditing of every connection to your protected services, ensuring only trusted NHI clients access critical services and data. Corsha emphasizes visibility, analytics, and automation via dynamic policies. Corsha’s solutions enable verifiable trust, gain access control, and curb secrets sprawl.

Secure by demand doesn’t separate IT and OT. Secure by demand doesn’t ask us to just create better code. It asks that we create secure software in secure, auditable environments. We need to consider attestation to zero trust-compliant OT environments as much as attesting to the artifacts created in those environments. 

Secure by Design has created a whirlwind of conversation and discomfort within the software community. Everything from open source software repositories to deployment methodologies is being revisited. Ensure your OT and NHI are considered as part of that process! Take a look at Corsha today. 


Headshot_direct_smiling_Oct_2022_3x3  About Joel Krooswyk  

In addition to serving as Federal CTO at GitLab Inc, Joel is a frequent writer and content contributor, drawing upon a wealth of experience in technology, software development, and cybersecurity. With 25 years of hands-on software industry expertise, he possesses an in-depth understanding of the entire software development life cycle. His leadership extends across the US Public Sector, as well as small businesses, mid-market enterprises, and global corporations. In prior roles, Joel spearheaded agile and digital transformations within Fortune 100 companies and authored over half a million lines of unique code throughout his career. He earned his B.S.E.E. from Purdue University and holds numerous industry certifications.

About Corsha

Corsha is an Identity Provider for Machines that allows an enterprise to securely connect, move data, and automate with confidence from anywhere to anywhere. Corsha builds dynamic identities for trusted machines and brings innovation like automated, one-time-use MFA credentials to APIs. 

Corsha’s mission is to secure data in motion and bring zero trust to machines, systems, and services. Today DevSecOps and security teams often are forced to compromise by using static, long-lived API keys, tokens, and certificates as weak proxies for machine identity and access.  Corsha helps teams move past static secrets and generates dynamic identities for trusted machines, bringing innovation like automated, one-time-use MFA credentials, scheduled access, and deep discovery to APIs. The Identity Provider also offers visibility and control over automated API traffic and enables real-time revocation and rotation of identity without disrupting other workloads. 

Whether it is across hybrid cloud infrastructure, data centers, or even manufacturing shop floors, Corsha reimagines machine identity to keep pace with the scale of data and automation needed today.  We ensure automated communication from anywhere to anywhere is pinned to only trusted microservices, workloads, server, controllers, and more. The use of API keys, token, and certificates for authentication is a weak proxy for machine identity today, proving to be costly, risky, and incomplete.  Corsha’s Identity Platform helps an organization move past these outdated secrets management approaches and unlock secure connectivity and data movement at scale.  


 

Corsha Integrations

Our Journey to Hardened Containers

Article

Our Journey to Hardened Containers

READ MORE

OT Security, Manufacturing, ATO

What Is an Authority to Operate (ATO) and Why It Matters for OT?

Article

What Is an Authority to Operate (ATO) and Why It Matters for OT?

READ MORE

Agile - Not Just for the Engineers

Article

Agile - Not Just for the Engineers

READ MORE