The US cybersecurity agency CISA and the FBI have released new guidance on security bad practices for software manufacturers and are inviting the public to provide feedback on it.
The guidance urges the makers of software and services for the critical infrastructure or national critical functions (NCFs) to prioritize security throughout the development process and reduce customer security risks.
It offers an overview of product security bad practices considered exceptionally risky and provides recommendations for mitigating them, in line with CISA’s Secure by Design initiative.
“The guidance contained in this document is non-binding and while CISA encourages organizations to avoid these bad practices, this document imposes no requirement on them to do so,” the agency notes.
The authoring agencies have divided the product security bad practices into three categories, namely product properties, security features, and organizational processes and policies.
Bad practices related to product properties, or the security-related qualities of software, include the use of memory-unsafe languages, the inclusion of use input in SQL query and operating system command strings, the use of default passwords, and the use of components that contain known vulnerabilities or issues listed in CISA’s KEV catalog.
When it comes to security features, bad practices include the lack of multi-factor authentication (MFA) and the lack of capabilities to gather evidence of intrusion in the baseline version of a product.
Organizational processes and policies refer to software makers’ transparent approach to security, and bad practices include the failure to publish CVEs with CWEs in a timely manner and not having a published vulnerability disclosure policy.
“While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices,” CISA notes.
The authoring agencies are encouraging interested parties to provide feedback on the guidance by December 2, 2024, via the Federal Register.
Related: CISA Releases Cyber Defense Alignment Plan for Federal Agencies
Related: MFA Isn’t Failing, But It’s Not Succeeding: Why a Trusted Security Tool Still Falls Short
Related: ICS Environments: Insecure by Design
Related: Today’s Network Is Different, Not Dead – Here’s How You Secure It
