A rustic green wooden door secured with a heavy chain and padlock, symbolizing security.

Secure by Default Tactics

editor,

In addition to adopting secure by design development practices, the authoring organizations recommend sofware manufacturers prioritize secure by default configurations in their products. These should strive to update products to conform to these practices as they are refreshed.

For example:

Eliminate default passwords. Products should not come with default passwords that are universally shared. To eliminate default passwords, the authoring organizations recommend products require administrators to set a strong password during installation and configuration or for the product to ship with a unique, strong password for each device

Mandate multifactor authentication (MFA) for privileged users. We observe that many enterprise deployments are managed by administrators who have not protected their accounts with MFA. Given that administrators are high value targets, products should make MFA opt-out rather than opt-in Further, the system should regularly prompt the administrator to enroll in MFA until they have successfully enabled it on their account Netherlands’ NCSC has guidance that parallels CISA’s, visit their Mature Authentication Factsheet for more information

Single sign-on (SSO). IT applications should implement single sign on support via modern open standards Examples include Security Assertion Markup Language (SAML) or OpenID Connect (OIDC ) This capability should be made available by default at no additional cost

• Secure Logging. Provide high-quality audit logs to customers at no extra charge or additional configuration. Audit logs are crucial for detecting and escalating potential security incidents. They are also crucial during an investigation of a suspected or confirmed security incident. Consider best practices such as providing easy integration with security information and event management (SIEM) systems with application programming interface (API) access that uses coordinated universal time (UTC), standard time zone formating, and robust documentation techniques

• Sofware Authorization Profile. Sofware suppliers should provide recommendations on authorized profile roles and their designated use case. Manufacturers should include a visible warning that notifies customers of an increased risk if they deviate from the recommended profile authorization For example, medical doctors can view all patient records, but a medical scheduler has limited access to certain information that is required for scheduling appointments

Forward-looking security over backwards compatibility. Too ofen, backwards- compatible legacy features are included, and ofen enabled, in products despite causing risks to product security Prioritize security over backwards compatibility, empowering security teams to remove insecure features even if it means causing breaking changes

Track and reduce “hardening guide” size. Reduce the size of “hardening guides” that are included with products and strive to ensure that the size shrinks over time as new versions of the sofware are released Integrate components of the “hardening guide” as the default configuration of the product. The authoring organizations recognize that shortened hardening guides result from ongoing partnership with existing customers and include eforts by many product teams, including user experience (UX)

Consider the user experience consequences of security setings. Each new seting increases the cognitive burden on end users and should be assessed in conjunction with the business benefit it derives Ideally, a seting should not exist; instead, the most secure seting should be integrated into the product by default. When configuration is necessary, the default option should be broadly secure against common threats

The authoring organisations acknowledge these changes may have operational efects on how the sofware is employed. Thus, customer input is critical in balancing operational and security considerations. We believe that developing writen roadmaps and executive support that prioritize these ideas into an organization’s most critical products is the first step to shifing towards secure sofware development practices. While customer input is important, we have observed important cases where customers have been unwilling or unable to adopt improved standards, ofen network protocols It is important for the manufacturers to create meaningful incentives for customers to stay current and not allow them to remain vulnerable indefinitely

Related posts:

Outdoor security cameras mounted on a pole against a clear blue sky, ensuring vigilant surveillance.Cybersecurity in 2025: Emerging Threats and Strategies password, computer, protection, keyword, theft, castle, pc, spying on, data theft, security, trojan password, privacy policy, data, password, password, password, password, passwordThe Importance of Strong Passwords in the Digital Age security, cyber, internet, computer, network, technology, protection, privacy, information, cybersecurity, cybersecurity, cybersecurity, cybersecurity, cybersecurity, cybersecurityIntroducing Cybersecurity censorship, limitations, freedom of expression, restricted, suppression, restriction, limiting, limit, security, rights, secrets, protection, opposition, academic freedom, regulation, forbidden, prohibited, information, chain, book, laptop, notebook, smartphone, mobile phone, censorship, censorship, censorship, censorship, censorship, limitations, limit, security, security, security, security, regulationDigital Product Security Considerations
Cybersecurity