Resources

Building your products and operations to be secure by design has always been good practice, but for Australian companies, it’s even more important than before.

Several Australian regulatory and legal entities have strongly recommended that companies implement secure-by-design practices and take specific steps to make sure their products and services are secure for users.

In this post, we’ll walk through those recommendations and show you what you need to do to comply with the new advice.

What is security by design?

Security by design involves designing your operations and products to be secure from the very beginning, instead of adding security later. The idea is to anticipate threats and vulnerabilities early and account for them during planning, design, and development.

Products are shipped with security baked in from the start and a focus on maintaining security over time through ongoing monitoring and automatic updates.

The Australian Cyber Security Centre (ACSC) says: ““Secure by design” means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure. Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.”

What do Australian companies need to be aware of?

Let’s take a quick look at the main guidelines that Australian organisations should now be aware of when it comes to security by design.

● According to the Australian Government’s Application Security Standard, entities that are developing applications for the government should take a Secure-by-Design approach to application development as defined and recommended by the Australian Signals Directorate. ● The Australian Cyber Security Centre (ACSC) has urged organisations to build software that is secure by design, and published a set of Secure by Design foundations to help organisations get best practices in place

● The Office of the Australian Information Commissioner (OAIC) has encouraged a bare minimum of mandatory security-by-design standards, like software update policies and vulnerability reporting, for consumer IoT products

Best practices for security by design

A good place to start with security by design is to identify potential threats early in the design phase. Invite different team members, like developers, architects, and software engineers, to help you pinpoint key technical and business risks here.

You should ship any products with security features turned on by default (not optional add-ons), make sure firmware and software are set to update automatically, and validate and test all your products continuously. Use penetration testing and red team exercises to get more reliable insights into any vulnerabilities.

On top of that, make it easy for users to report issues and vulnerabilities. A good way to do this is via a Coordinated Vulnerability Disclosure (CVD) policy, where security researchers and ethical hackers can easily report any problems.

Finally, educate your teams. Developers should get regular training on how to write secure code and build secure-by-design principles into your products, and architects and engineers should receive playbooks and checklists.

At Aryon, we help Australian businesses build up their security and comply with all relevant recommendations and requirements. Contact us to find out how we can help you do the same.