The Cybersecurity and Infrastructure Security Agency (CISA), a key entity under the US Department of Homeland Security, and the Federal Bureau of Investigation (FBI) have urged software manufacturers to increase focus on security throughout the product development process.
The two agencies made the request while releasing a joint guidance on Product Security Bad Practices, as part of CISA’s Secure by Design initiative.
The draft guidance will be open for public comment until 2 December 2024. During this period, people can provide their comments and feedback on the guidance.
Subsequently, CISA will issue a revised version of the bad practices.
Product Security Bad Practices Guidance Details
According to a statement, the Product Security Bad Practices guidance outlines those practices that are identified as very risky. It also offers recommendations for software manufacturers to mitigate such risks.
Particularly, the bad practices are divided into three categories- product properties; security features; and organisational processes and policies.
Product properties are those which are observable and security-related qualities of a software product, while security features are safety functionalities that a product supports.
Organisational processes and policies detail the actions taken by a software manufacturer for security-related transparency.
The guidance is particularly aimed at software developers which develops products and services in support of critical infrastructure. Other companies are also encouraged to follow the guidance.
“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop. These product security bad practices pose unacceptable risks in this day and age, and yet are all too common, said CISA director, Jen Easterly. “We hope that by following this clear-cut, voluntary guidance, software manufacturers can lead by example in taking ownership of their customers’ security outcomes and fostering a secure by design future. Please provide input and let us know how we can improve this list of bad practices.”
Earlier this month, CISA Cybersecurity Advisory Committee approved four draft reports aimed at strengthening national resilience against cyber threats.
Read More: NCSC and CISA release device security guidelines for manufacturers
