HomeCII/OTCISA and FBI Urge Secure Software Development

CISA and FBI Urge Secure Software Development

Published on

spot_img

In a move to bolster secure software development, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly released the Product Security Bad Practices catalog for public review. The document highlights risky software development practices and offers guidelines for mitigating these risks, with a specific focus on software manufacturers serving critical infrastructure or national critical functions (NCFs).

The public comment period for the catalog opened recently and will run until December 2, 2024. This window allows stakeholders to provide feedback and contribute to refining the guidance provided in the catalog.

Aligned with the National Cybersecurity Strategy, the release of this catalog marks a strategic effort to shift the responsibility of safeguarding cyberspace to software manufacturers. The strategy underscores the fact that many cybersecurity vulnerabilities stem from poor software development practices, particularly in critical systems. By steering clear of these bad practices, manufacturers can significantly enhance overall cybersecurity and contribute to building a secure digital infrastructure.

CISA Director Jen Easterly emphasized the importance of addressing software defects that continue to leave critical infrastructure vulnerable to cyberattacks. Easterly stressed the voluntary nature of the guidance while stressing the need for manufacturers to prioritize security in their products. White House National Cyber Director Harry Coker Jr. echoed these sentiments, urging the private sector to take responsibility for building secure products to safeguard national security and everyday American lives.

The FBI, through Assistant Director Bryan Vorndran, underscored the necessity of steering clear of bad practices in software development, especially for systems used in critical infrastructure. Vulnerabilities in such systems can pose serious risks to national security and the general populace. Both the FBI and CISA called on software manufacturers to heed the guidelines in the catalog to prevent malicious exploitation of vulnerabilities.

This move by CISA and the FBI is part of CISA’s Secure by Design initiative, a collaborative effort supported by multiple U.S. and international agencies. Over 220 manufacturers have already committed to adopting best practices in security through CISA’s Secure by Design Pledge. The Product Security Bad Practices catalog builds on previous initiatives like the NIST Secure Software Development Framework (SSDF) and is designed to serve as a central guiding document for future actions under the Secure by Design initiative.

The catalog is structured into three key categories: Product Properties, Security Features, and Organizational Processes and Policies. It aims to highlight the most critical bad practices that software manufacturers should avoid, based on the current threat landscape. Notable bad practices included in the catalog range from using memory-unsafe languages to including default passwords and allowing user-provided input in SQL query strings.

In conclusion, the release of the Product Security Bad Practices catalog represents a significant step towards enhancing software security, particularly in critical infrastructure sectors. By outlining and discouraging risky practices, CISA and the FBI aim to steer software manufacturers towards safer development practices. Public feedback is crucial to ensuring the catalog’s relevance and effectiveness in improving software security standards industry-wide.

Source link

Latest articles

AI Agent Leverages Langflow RCE to Automate Database Ransomware Attack

Security firm Sysdig recently announced a groundbreaking discovery, revealing what it claims to be...

Warning Over Industrialized Cyber Attacks by Ransomware Gang

Rising Threat: Cybercriminals Unite to Unleash Industrialized Ransomware In a significant development within the realms...

Adobe Introduces a Second Patch Tuesday Each Month for Faster Fixes

On June 30, Adobe took significant steps to address the growing urgency of cybersecurity...

FBI Disrupts Popular NetNut Residential Proxy Service

Fraud Management & Cybercrime, Malware as-a-Service, ...

More like this

AI Agent Leverages Langflow RCE to Automate Database Ransomware Attack

Security firm Sysdig recently announced a groundbreaking discovery, revealing what it claims to be...

Warning Over Industrialized Cyber Attacks by Ransomware Gang

Rising Threat: Cybercriminals Unite to Unleash Industrialized Ransomware In a significant development within the realms...

Adobe Introduces a Second Patch Tuesday Each Month for Faster Fixes

On June 30, Adobe took significant steps to address the growing urgency of cybersecurity...