Ten agencies from across seven countries have joined forces to create a guide for software developer organizations to ensure their products are both secure by design and by default. The joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, comes after several recently identified critical vulnerabilities in vendor software. In April, The United States Cybersecurity and Infrastructure Security Agency (CISA) published seven advisories covering vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) software from multiple vendors, including critical vulnerabilities. A few weeks prior, the agency had also issued advisories on 49 vulnerabilities in eight ICS from providers including Delta Electronics, Hitachi, Keysight, Rockwell, Siemens, and VISAM.The collaborating agencies are:The Australian Cyber Security Centre (ACSC)The Canadian Centre for Cyber Security (CCCS)Germany\u2019s Federal Office for Information Security (BSI)Netherlands\u2019 National Cyber Security Centre (NCSC-NL)New Zealand\u2019s Computer Emergency Response Team New Zealand (CERT NZ) and National Cyber Security Centre (NCSC-NZ)The United Kingdom\u2019s National Cyber Security Centre (NCSC-UK)The US\u2019s CISA, Federal Bureau of Investigation (FBI), and National Security Agency (NSA).Secure by design versus secure by defaultThe guidance defines products secure by design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-design products start with that goal before development starts. Products secure by default are those that are secure to use out of the box with little to no configuration changes necessary and security features available without additional cost.These approaches, the agencies believe, remove much of the security burden away from the customer and reduces chances of them falling victims to security incidents.The technology developer\u2019s roleEvery technology manufacturer should build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions. \u201cHistorically, technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense. Only by incorporating secure-by-design practices will we break the vicious cycle of creating and applying fixes,\u201d stated the guidance.The agencies urged technology developers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers.\u202f\u00a0One way to achieve that, the document suggests, is for systems\u2019 developers migrate to programming languages that eliminate widespread vulnerability rather than focusing on product features that seem appealing but increase the risk of an attack.\u201cOur new joint guide aims to drive the conversation around security standards and help turn the dial so that the burden of cyber risk is no longer carried largely by the consumer,\u201d UK National Cyber Security Centre CEO Lindy Cameron said in a statement. We call on technology manufacturers to familiarise themselves with the advice in this guide and implement secure-by design and by-default practices into their products to help ensure our society is secure and resilient online.\u201d\u202fBusinesses must make technology vendors accountable for security of productsPart of the guidance includes recommendations for CISOs and technology buyers and how to help protect their businesses. The guidance recommends organizations hold their technology suppliers accountable for the security of their products. This should be done by prioritizing the purchase of what the guidance previously described as secure-by-design and secure-by-default products. It suggests this be done by establishing policies requiring that IT departments assess the security of manufacturer software before it is purchased, as well as empowering IT departments to push back if necessary. \u201cIT departments should be empowered to develop purchasing criteria that emphasize the importance of secure-by-design and secure-by-default practices.\u201dThe guidance goes further and recommends IT should have the support of executive management when enforcing these criteria. \u201cOrganizational decisions to accept the risks associated with specific technology products should be formally documented, approved by a senior business executive, and regularly presented to the board of directors.\u201dThe security posture of the organization should be seen as critical, including enterprise network, identity and access management and security and response operations. Organizations should reinforce the importance of security of products both formally via contracts with vendors and informally via building a long-term partnership where the buyers know how the vendor works to ensure security of products.Keep a relationship with peers to be informed on best products and services with secure design but also to create a united front giving feedback to technology vendors. When it comes to cloud security technology buyers must understand both the providers\u2019 responsibility and the organizations\u2019. \u00a0\u201cInsecure technology products can pose risks to individual users and our national security,\u201d NSA cybersecurity director Rob Joyce said in a statement. \u201cIf manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see."The agencies seek feedback by email on the guidance from interested parties on key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.