'Secure by design' makes waves at RSA Conference 2024

SAN FRANCISCO -- Between breaches, strategic initiatives and the rise of generative AI, "secure by design" became a popular refrain this week at the world's biggest cybersecurity conference.

Secure by design refers to the principle that software should be developed with security in mind through established development frameworks and best practices. Though the concept is far from new, the approach has been featured in multiple different and prominent contexts at RSA Conference 2024.

Perhaps the most prominent example is Microsoft's expansion of its Secure Future Initiative (SFI) this month, in which the tech giant promised to prioritize security in its organization and product development "above all else." Microsoft first announced SFI in November in the wake of a high-profile breach it suffered last year perpetrated by Chinese nation-state actor Storm-0558. After disclosing another breach in January involving Russian nation-state actor Midnight Blizzard and a scathing Cyber Safety Review Board report published last month, Microsoft expanded the initiative.

In a blog post on Friday, Microsoft Security executive vice president Charlie Bell laid out three principles: secure by design, secure by default and secure operations. On the secure by design front, Bell said, "Security comes first when designing any product or service." At RSA Conference on Tuesday, Vasu Jakkal, Microsoft's corporate vice president of security, told TechTarget Editorial that "security has to be first," particularly in the age of generative AI.

The continued ascent of GenAI in the technology industry is also driving discussions about the importance of secure by design. Due to the rapid adoption of GenAI, organizations are at risk of data exposure or theft, model poisoning, or attacks stemming from misconfigurations.

Both public and private sector organizations have emphasized the need to prioritize security in AI at the ground level.

A joint IBM and Amazon Web Services study published on Monday claimed that while 82% of surveyed C-suite executives said trustworthy and secure AI was essential, only 24% had included security as a component of their GenAI-related projects. Separately, IBM published a framework dedicated to secure GenAI development.

Ryan Dougherty, program director for emerging security technology at IBM Security, said integrating security into AI from the start was key.

"Last year, we were talking a lot about ChatGPT, and organizations starting to plot a pilot generative AI project. But this year, we're really talking about operationalizing generative AI in production and embedding it into a lot of the fabric of business applications," he told TechTarget Editorial. "And what we're thinking is from a security perspective, hopefully we've learned our lesson from cloud, where now is the time to integrate security from the start. We can't have that secure by design lag. We really need to be securing by design now at the at the get go."

Dr. Sarah Bird, chief product officer of responsible AI at Microsoft, said the most effective use cases for securing AI at the development level involves implementing security at a slow and steady pace while applying individual models for narrower, focused use cases rather than having a single AI model that tries to do everything.

"The best patterns we're seeing are where you're building on what you already have and then you're using the model in a way that fits in that framework already," she said. "But there are people who say, 'Let's use the model for everything. The model will be the orchestration, the model will be the data access and all of that.' And then you are reinventing everything from scratch. It's a lot harder to secure by design when it's all with brand new technology. If the model plays a very specific role in the larger system, then you really have to deal with just one new novel component."

CISA has also promoted secure by design principles at the conference. On Wednesday, CISA announced that 68 organizations committed to the cyber agency's Secure by Design pledge. By making the pledge, software makers promised to make measurable progress in applying secure by design principles to their organization and publicly document how they achieved it within one year. The pledge represents further emphasis CISA has made on secure by design since they launched an initiative dedicated to the principle last year.

One of the 68 organizations is Ivanti, which has come under fire in recent months amid a string of zero-day vulnerabilities that were exploited in high-profile attacks. In a statement shared with TechTarget Editorial, Ivanti CEO Jeff Abbott said the company was "honored" to be a part of the pledge and applauded CISA for promoting secure by design across the industry.

"Ivanti is undertaking an aggressive plan, rooted in these essential Secure by Design principles, that fundamentally shifts how we design, develop and deploy our products and weaves security into every stage of software development," Abbott wrote. "As our industry faces a pervasive and increasingly aggressive threat, we are proud to stand among those taking action and encourage others in the security industry to rise to the challenge."

CISA Executive Director Brandon Wales told TechTarget Editorial that the agency's emphasis on secure by design is a response to the "whack-a-mole" approach that the cybersecurity industry has been playing for years in addressing "a multi-trillion-dollar insecure technology industry."

"If we think that the answer to 18,000 new vulnerabilities added in a year to the National Vulnerability Database is trying to manage those, one vulnerability at a time, one company at a time, across the country, we are not going to get to the type of security outcomes that we need," Wales said. "And as we looked at that problem, we said, 'We need to change the culture.' We need to solve this problem at a place where it can best be addressed."

Asked why the security industry is emphasizing secure by design now, Wales offered a different question.

"We think the question is not 'why now?' The real question we should be asking is, 'Why is it taken us so long to make this the real issue?' And so we think the best time to do it is immediately."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.