Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

CISA, FBI Update Software Security Recommendations 

CISA and the FBI have updated their guidance regarding risky software security bad practices based on feedback received from the public.

CISA

The US cybersecurity agency CISA and the FBI have updated their guidance on risky software security bad practices to include the feedback received during a public comment period.

Called Product Security Bad Practices, the guidance provides an overview of the security practices considered exceptionally risky, provides recommendations on addressing them, and urges makers of software for the critical infrastructure to prioritize security.

A non-binding document, the guidance covers risky bad practices related to product properties, security features, and organizational processes and policies, including the use of memory-unsafe languages, default passwords, and components with known vulnerabilities, the lack of multi-factor authentication (MFA) and logging, and the failure to publish CVEs with CWEs in a timely manner.

Following a month-and-a-half public comment period, CISA incorporated feedback from 78 public comments, including new bad practices, clearer timelines for patching flaws in the Known Exploited Vulnerabilities (KEV) catalog, and context regarding memory-safe programming languages, and more.

The updated guidance includes three new bad practices on hardcoded credentials, the use of insecure or outdated cryptographic functions, and product support, and includes more examples on preventing SQL injection and command injection bugs.

Furthermore, it updates the MFA section with language specific to operational technology products and recommends that software makers should support phishing-resistant MFA.

“This document is intended for software manufacturers who develop software products and services, including on-premises software, cloud services, and software as a service (SaaS). This also applies to software products that run on operational technology (OT) products or embedded systems,” CISA and the FBI note.

However, the two agencies advise all software manufacturers to review the guidance and avoid the security bad practices it describes, signaling to their customers that they are taking ownership of customer security outcomes, one of the secure-by-design principles that CISA is urging organizations to adhere to.

Advertisement. Scroll to continue reading.

“CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process,” the two agencies note.

Related: US Government Agencies Call for Closing the Software Understanding Gap

Related: New EU Regulation Establishes European ‘Cybersecurity Shield’

Related: Western Security Agencies Share Advice on Selecting OT Products

Related: Activists Say Cyber Agency Weakens Voting Tech Advisory

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.