The U.S. and a coalition of international government agencies have issued joint guidance that aims to get software companies to heighten security for their products. “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default” takes the position that today’s software is insecure by default and it is the customer’s burden to take steps to make it safe. Manufacturers should make their products safe before they ship by taking steps including deprecating the “default password,” writing their programs using only secure coding languages, providing free patches and setting up vulnerability reporting programs.

The U.S. Cybersecurity and Infrastructure Security Agency along with the FBI and the National Security Agency have teamed with the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands and New Zealand to issue the guidance, which is issued in the form of recommendations, not binding rules.

“To create a future where technology and associated products are safer for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers. Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature,” the report says.

The Washington Post calls the “Principles and Approaches” document “the first major step by the Biden administration as part of its push to make software products secure” from the earliest development stage, and says the initiative is “part of a potentially contentious multiyear effort that aims to shift the way software makers secure their products.”

Last month, the White House issued a National Cybersecurity Strategy position paper than emphasized collaboration between the public and private sectors and shifting the security burden away from individuals and small businesses.

Companies including Microsoft, IBM, Oracle and others have already been throwing their weight behind such efforts, which increasingly involve cloud-based companies like Google and Amazon. CISA conceded as much, writing in an announcement that “many private sector partners have made invaluable contributions.”

“The target audience for the guidelines is not just technology providers, but also customers so they know the right questions to ask when purchasing software,” points out The Post, which interviewed CISA’s executive assistant director Eric Goldstein and technical advisor Bob Lord, who say the goal is to message widely, reaching universities, non-profits, and standards-developing bodies, triggering discussion and feedback.

The guidance comes weeks after CISA director Jen Easterly delivered what BankInfoSecurity calls “a high-profile address urging manufacturers to stop vulnerabilities from accumulating before products ship. The era of releasing products to the public with ‘dozens, hundreds or thousands of defects’ must end, she said.”