Secure by Design is likely dead at CISA. Will the private sector make good on its pledge?

In April 2023, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, and a host of international cybersecurity partners produced joint guidance on achieving secure-by-design software as a follow-up to President Biden’s May 2021 cybersecurity executive order.

In the last two years of the Biden administration, CISA made secure-by-design a cornerstone of its software security efforts, aiming to decrease preventable flaws in software products before they reach the market. “More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation,” then-CISA Director Jen Easterly said when announcing that 68 leading software providers had signed the agency’s Secure by Design pledge.

Despite CISA’s initial hopes for its initiative, last week Lauren Zabierek and Bob Lord, two architects of the program, announced they are leaving CISA, amid ongoing DOGE-related staff cuts, sparking speculation that Secure by Design is dead.

Ahead of their talk on Secure by Design at RSAC 2025, CSO caught up with Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs, and Chris Wysopal, co-founder and chief security evangelist at Veracode, to gauge their predictions for CISA’s program.

Both agreed that secure by design is a concept that predates CISA and will continue in the private sector even if CISA abandons its program. “There might not be a CISA office that’s doing amazing work on this anymore, but the idea that we have to do it is still going to be around, and hopefully we’ll continue some momentum even if we don’t have Bob and Lauren to cheer it on,” Healey told CSO.

Metrics point to slowly improving software security

Healey and Wysopal are big believers in secure-by-design principles, but they concede that few measurements can directly prove that extra effort at the outset of software creation results in more secure products. “How can we, amongst the indicators and metrics we have, across threats or vulnerabilities, across consequences or impacts, understand if we’re shifting” toward more security software? Healey asked.

For its annual State of Software Security report, Veracode presents data from several top sources suggesting software security is improving slowly. Wysopal attributes this to “all the recent talk of Secure by Design.”

Wysopal told CSO, “There’s been an acceleration of improvement within the last five years. Why would that be? One of the things that has been happening is this push for secure design, which sophisticated customers like the US government are saying we require our suppliers to do, or at least to attest to how well they did secure by design.”

As one measure of software security improvement, Wysopal pointed to the OWASP Top 10 list, the industry’s bible for identifying the most critical security risks to web applications. “In 2010, 23% of web applications had zero OWASP top 10 issues,” he said. “In 2020, 10 years later, 32% of applications passed with no OWASP top 10 issues, so that’s about a one percentage point per year improvement.”

CISA’s Secure by Design effort is ‘tiny’

Not everyone believes in the concept of security by design. Jeff Williams, founder and CTO of Contrast Security and creator of the first OWASP Top 10 list in 2002, told CSO that, in his view, the very first secure-by-design manual was the vaunted August 1983 “Orange Book” produced by the Department of Defense.

“The Orange Book was extremely rigorous security,” Williams said. “It embodied all the principles of secure by design. We had to build a formal specification of the design. Then we had to build the actual system. We had to show traceability between the design and the implementation. Then we had to show test results and strong sustainability from the tests to the implementation, and so on. It’s 30 years later, and I don’t believe it anymore.”

Williams has become disillusioned with secure by design because its goal is software assurance, whereas the cybersecurity industry has moved on to risk management. “Most organizations do risk management, and assurance is the opposite of risk management,” he said.

The industry has moved away from assurance because there is no visibility into the software products they use. “There’s not a lot of transparency in cybersecurity. SBOMs [software bills of material] are the tiniest baby step towards transparency, and they barely tell you anything.”

Given his skepticism, it is unsurprising that Williams is not a fan of CISA’s program. “CISA’s Secure by Design program is a tiny effort. It is just a few people with a few documents that came out. It’s not like a big agency is backing this and saying, ‘This is how we’re going to train the world to do security better and fundamentally change how security is done in the market.’”

The path forward is unclear

Given the turmoil surrounding CISA’s staffing levels, it’s unclear how the agency will move forward with its Secure by Design efforts. In a statement, Bridget Bean, currently performing the duties of a CISA director until nominee Sean Plankey can step into the role, shed little light on the question.

“CISA remains laser-focused on working across the public and private sectors to improve the nation’s cybersecurity, a critical element of which is ensuring that technology companies do their part,” Bean said. “This is why we continue to urge companies to develop products that are secure by design, instead of passing the cost of poorly designed products on to consumers. While CISA’s approaches to Secure by Design evolve, our commitment to the principles remains steadfast. I thank Bob Lord and Lauren Zabierek for helping to lay the foundation on which future work in this space can be built.”

Healey referred to the commonly cited aphorism that the government’s policy tools are carrots, sticks, and sermons. “A lot of Secure by Design was all in the sermons,” he said. “That office was largely sermons. They were out there. They would be encouraging. They would be talking about it. It’s that sermon section of it that will go away.”