Security by Design Meetup Recap

At the end of 2023, some trendsetting things happened in Information Security. In October, the US Cybersecurity & Infrastructure Security Agency (CISA) published its Principles and Approaches for Secure by Design Software, while at the beginning of December, the EU reached an agreement on the Cyber Resilience Act (CRA) that will require all software running on client devices connected to the Internet to be designed with cybersecurity in mind. 

In Microblink, we started with initiatives to align with security by design and default best practices. The first one kicked off the Security by Design Meetup series and gathered the InfoSec community in Zagreb, Croatia. 

The Meetup was a huge success, attracting more than 100 people interested in sharing experiences and knowledge about cybersecurity. There were two panel sessions: one with software developers about procedures regarding security by design and their default best practices, and the second with members of the financial industry discussing cybersecurity in their digital onboarding processes. In this blog, we wrote an overview of the discussions and the conclusions of the first panel. 

The Cyber Resilience Act (CRA) and Security by Design Requirements Panel Session

The panel started with a presentation by the Head of Information Security at Microblink on CRA requirements on security by design and default. This was followed by a discussion with an esteemed group of security experts from Croatia’s most relevant companies: Infobip, Infinum, ASEE, AKD, Infigo, Diverto and Apatura, as well as a representative of the Croatian National Center for Cybersecurity.

The CRA is expected to be passed into law in the coming months or weeks. It will mark a significant step towards a more secure digital future. More importantly, the CRA has the potential to become a trendsetter for robust cybersecurity standards worldwide.

The idea is to protect people while using devices connected to the Internet by implementing strict security practices in the software development lifecycle. Additionally, the regulation will also require the software to undergo various compliance assessments, both internally and externally, depending on the risk of product functionalities.

The summary of the key requirements of the CRA regarding security:

  • Product development with implementation of security measures and best practices throughout the software development lifecycle;
  • Delivery of products with a configuration that is secure by default;
  • Product delivery without known exploitable vulnerabilities;
  • Control mechanisms that prevent unauthorized access;
  • Processing and protection of only strictly necessary data;
  • Functioning of products in a way that protects the availability of basic functions;
  • Regularly addressing known vulnerabilities through the release of security patches.

Software development companies will be required to publicly disclose their security measures and tests conducted on the products, together with the following documentation about their products:

  • Software Bill of Materials (SBOM) for each product;
  • Declaration of Conformity of the products;
  • A list of all the customers using the products.

Companies covered by the CRA will also have to report incidents and vulnerabilities to regulatory bodies and their clients.

Changes in development standards and product life

Panelists emphasized the importance of onboarding development engineers to follow new development standards, regularly educate them, and use best practices such as the OWASP Application Security Verification Standard. A risk-based approach and threat modeling of high-risk applications and services will be mandatory parts of the product lifecycle, especially for new products.

Manual code review between peers is still considered the baseline in code development. Still, panelists stressed that automated application security testing tools are a necessary part of the process and a way to ensure another layer of security, even if they produce many false positive results. If such tools are properly set and have an overview of the complete data flow, they will anticipate an error that a human working on just one system module could overlook.

Management of third-party components and the impact of the open-source community on the security of software products were also a part of the discussion. Although reading SBOMs was compared to analyzing the list of ingredients before buying a sandwich, the panelists agreed that it is all useful when accompanied by regular vulnerability scanning and penetration testing. Such programs can be paired with public vulnerability disclosure, popularly called bug bounties, to provide a more efficient vulnerability management process.

The panel ended with the opinion that all regulations similar to CRA and best practices such as CISA are a great lever to implement security requirements at the beginning and in every aspect of the development process. Furthermore, they will ensure that a stakeholder understands and supports investing in the process. Ultimately, the end consumers will benefit the most because the responsibility for the safety of their data and privacy will shift from themselves to vendors, and the products will get more secure.

Conclusion

The passionate discussions, the exchange of ideas, and the expertise shared around cybersecurity and upcoming regulations confirmed that we are a part of a talented and dedicated community. 

The positive feedback and interest in cybersecurity topics motivate us to build a community platform where people can learn, share and review tools to make products and environments safer and more secure.

Here at Microblink, we design products with security in mind for customers and their end users. The new standards, such as the OWASP Application Security Verification Standard, risk-based approaches and threat modeling, are already a part of our product development. Manual code reviews, managing third-party components, regular penetration testing and vulnerability scanning ensure robust protection to enhance security further.

A huge shout-out to all the guests, especially the panelists, for helping us organize a successful Meetup.

May 21, 2024

Discover Our Solutions

Exploring our solutions is just a click away. Try our products or have a chat with one of our experts to delve deeper into what we offer.