
BSI and international cyber security authorities call for more secure IT products
by Tina Siering
Image source: cisa.gov

Secure IT products: BSI publishes guidelines for IT manufacturers
Quality deficiencies in software and hardware products endanger IT infrastructures and open up ever new and ever more attack possibilities for cyber criminals. The BSI therefore appeals to IT manufacturers to give greater consideration to security aspects as early as the development stage and to configure devices securely:
Together with international partner authorities in the USA (CISA), Canada (CCCS), Great Britain (NCSC UK), the Netherlands (NCSC NL), Australia (ACSC) and New Zealand (CERT-NZ), the BSI has published recommendations in the form of a guide for IT manufacturers to anchor the principles of "security-by-design" and "security-by-default" more firmly in product development.
In addition to implementation tips and technical recommendations for standardisation, several basic principles are set out to help software manufacturers build software security into their design processes before they develop, configure and deliver their products.
Dr Gerhard Schabhüser, Vice President of the BSI, emphasises the importance of secure software and hardware for use in government, business and society. The handout uses concrete examples to show the high importance of IT security in the development and delivery of products. Hospitals, municipalities and companies have repeatedly been the victims of successful cyber attacks on vulnerable IT products, which had a direct negative impact, especially on citizens, for example when hospitals had to cancel operations or municipal services could suddenly no longer be offered. The BSI explicitly calls on manufacturers to consider IT security from the outset and to make it as easy as possible for users to use products securely through secure preconfiguration.
Safer product features for consumers
The cyber security authorities also demand that security-relevant product features should be recognisable and understandable for consumers.
In Germany, the IT security label of the BSI is available for orientation. With the Cyber Resilience Act (CRA), the European Union is focusing its legislation on the cyber security of IT products along their entire life cycle. The goal: to sustainably improve the cyber security of products that can be connected to each other or to the internet. The requirements of the Cyber Resilience Act affect all companies that manufacture products with digital elements. In addition, there are obligations for distributors and importers; there are no size-based exemptions.
The BSI's now new joint international publication underlines the need for cooperation with partners and the urgent need for action in the area of IT security. To this end, the joint guide is intended to stimulate an international discussion on the key priorities, investments and decisions needed to develop future IT products where technologies are safe, secure and resilient - both by design and by default.
Click here for the guide: https://www.cisa.gov/sites/default/files/2023-04/principles_approaches_for_security-by-design-default_508_0.pdf