The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released draft guidance on product security bad practices last week, highlighting practices that are deemed “exceptionally risky” and providing recommendations for software manufacturers to mitigate these risks.
According to CISA, these product security bad practices represent the next major step in the agency’s Secure by Design initiative.
The catalog – which urges software manufacturers to avoid these bad practices, especially those who produce software used in service of critical infrastructure or national critical functions – is now open for public comment until Dec. 16.
“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop. These product security bad practices pose unacceptable risks in this day and age, and yet are all too common.” said CISA Director Jen Easterly.
“We hope that by following this clear-cut, voluntary guidance, software manufacturers can lead by example in taking ownership of their customers’ security outcomes and fostering a secure by design future,” she said. “Please provide input and let us know how we can improve this list of bad practices.”
The joint guidance lists the bad practices in three categories:
- Product properties: describes the observable, security-related qualities of a software product;
- Security features: describes the security functionalities that a product supports; and
- Organizational processes and policies: describes the actions taken by a software manufacturer to ensure strong transparency in its approach to security.
Examples include developing in memory unsafe languages; presence of default passwords; presence of known exploited vulnerabilities; lack of multifactor authentication and more.
“Our National Cybersecurity Strategy highlights the importance of securing our nation’s critical infrastructure and shoring up our cyber defenses,” said White House National Cyber Director Harry Coker. “The impact of product security bad practices has wide-ranging consequences across our nation and is often felt by the American people. Our private sector partners must shoulder their responsibility and build secure products and I’m glad to see this document as another tool to help software manufacturers do just that. We need to work together to prioritize best practices to better protect our nation.”
According to CISA, the bad practices were selected based on the threat landscape as representing the most dangerous and pressing items that software manufacturers should avoid.
In their request for information, CISA and the FBI want the public to comment on any software security bad practices they might have missed.
