The Importance of Secure by Design in AI Software Development

Artificial intelligence (AI) software is revolutionizing various industries, but security concerns remain a prominent issue. In a recent blog post, Christine Lai and Jonathan Spring from the Cybersecurity and Infrastructure Security Agency (CISA) emphasize the need for AI developers to prioritize security by design.

The duo emphasizes that Secure by Design practices, which rely on other safety principles and guardrails, should be applied by the AI engineering community. Additionally, they stress the importance of incorporating Common Vulnerabilities and Exposures (CVE) and other vulnerability identifiers into the development process.

To ensure secure AI systems, Lai and Spring recommend capturing AI models and their dependencies, including data, in software bills of materials. This approach enables better transparency and accountability throughout the development and implementation stages. Furthermore, they emphasize the importance of AI systems respecting fundamental privacy principles by default.

In their blog post, Lai and Spring discuss the specific assurance issues related to AI and highlight the distinction between adversarial inputs that drive misclassifications and security detection bypass.

It is crucial for AI developers to prioritize security by design to mitigate potential risks and vulnerabilities. By incorporating secure development practices, developers can proactively address security concerns and improve the overall resilience of AI systems.


What are Secure by Design practices?
Secure by Design practices prioritize security considerations in the development process of software or systems. This approach ensures that security measures are woven into the design from the beginning, rather than being added as an afterthought.

What are software bills of materials?
Software bills of materials (SBOMs) are comprehensive lists that outline the components and dependencies of a software system. SBOMs provide transparency and accountability, enabling better management of security vulnerabilities and potential risks.

What are Common Vulnerabilities and Exposures (CVE)?
Common Vulnerabilities and Exposures (CVE) is a standardized list of publicly known cybersecurity vulnerabilities and exposures. CVEs provide a common language for identifying and addressing security issues across different software systems.

What is the role of AI in security?
AI has the potential to enhance security measures, such as threat detection and anomaly identification. However, AI systems themselves can also be vulnerable to attacks if not developed with robust security measures in place. Secure development practices are essential to ensure the integrity and resilience of AI systems.