Security by default

“Secure-by-Default” means software products should be resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. External software providers or in house software developers should aim to make software that is “Secure by default”.  Some of the recommended practices include:

• Eliminating default passwords [Mandatory]- Products should not come with default passwords that are universally shared. Instead, software products should require administrators to set a strong password during installation and configuration
• Require Multi Factor Authentication (MFA)  [Recommended]- MFA should be required for user accounts particularly for privileged users such as system administrators
• Single sign-on (SSO) [Recommended] - IT applications should implement single sign on technology via modern open standards whenever possible
• Secure Logging [Mandatory] -  Enable audit logs by default particularly for sensitive operations. Audit logs are crucial for detecting and escalating potential security incidents. They are also crucial during an investigation of a suspected or confirmed security incident.