CISA’s “Secure by Design, Secure by Default” gets it right

August 30, 2023
Vikram Phatak

I was recently at Black Hat and DefCon in Las Vegas and was excited to reconnect with Dr. Allan Friedman from the Cybersecurity and Infrastructure Security Agency (CISA). Among the many cyber issues being addressed by CISA today, it was reassuring to hear that their “Secure by Design, Secure by Default” initiative is gaining traction.

I have been testing cybersecurity products since 2007 – first at NSS Labs, and now at – and continue to be surprised when some vendors ship products to customers without including a secure configuration as a default baseline.

Research indicates that most customers expect cybersecurity vendors to ship with a high level of protection enabled by default. CISA’s publication states the following:¹

“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.

  • A secure configuration should be the default baseline. Secure-by-Default products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors, as well as provide the ability to use and further configure security controls at no additional cost.
  • The complexity of security configuration should not be a customer problem. Organizational IT staff are frequently overloaded with security and operational responsibilities, thus resulting in limited time to understand and implement the security implications and mitigations required for a robust cybersecurity posture. Through optimizing secure product configuration—securing the “default path”— manufacturers can aid their customers by ensuring their products are manufactured, distributed, and used securely in accordance with “Secure-by-Default” standards.

Manufacturers of products that are “Secure-by-Default” do not charge extra for implementing additional security configurations. Instead, they include them in the base product like seatbelts are included in all new cars. Security is not a luxury option but is closer to the standard every customer should expect without negotiating or paying more.² has been and will continue to test every product with the vendor default (pre-defined recommended) policies and configurations. In addition, there will be a requirement that the security products have all options for evasion defenses enabled by default in the shipped product. We continue this tradition with our upcoming test of Cloud Network Firewalls. Our latest methodology was released today.

We are glad that we are in alignment with CISA and look forward to expanding our efforts to support their “Secure by Design, Secure by Default” initiative.

Vikram Phatak