The warning has been issued by the U.S. cyber defense agency, CISA, and the FBI to software providers, cautioning them against using risky development practices that could endanger critical infrastructure sectors and national security. In a joint guide released by the two agencies, they highlighted several insecure development techniques that should be avoided, such as including user-provided input in SQL database queries or operating system command strings.

CISA Director Jen Easterly expressed concern over the prevalence of preventable software defects that continue to leave critical infrastructure vulnerable to cyber attacks. One of the highlighted bad practices is releasing software with default passwords, instead of using random, unique initial passwords for products serving critical infrastructure. This aligns with the recommendations from the National Institute of Standards and Technology, which calls for a revamp of digital password practices to enhance security.

Experts have commended CISA’s efforts to enforce minimum security development standards on software providers, emphasizing the importance of embedding strong security measures in product design. The shift towards holding developers accountable for product safety aims to enhance cybersecurity from the ground up, reducing the burden on end users to secure their systems.

Chris Wysopal, co-founder of Veracode, stressed the importance of complying with basic cybersecurity measures, especially for companies developing software that supports critical functions. The guidance includes recommendations such as implementing multifactor authentication and avoiding vulnerable components in new products. Failing to disclose newly-discovered vulnerabilities in products serving critical sectors poses a significant risk to national security, according to CISA and the FBI.

Despite the guidance provided by CISA, many software providers are still neglecting fundamental cybersecurity practices in their products, as highlighted by Neil Carpenter, field chief technology officer at Orca Security. Carpenter emphasized the need for engineering and product leaders to prioritize security in their design decisions to prevent organizations from being compromised due to poor product design.

In 2023, CISA released a secure-by-design roadmap that urged manufacturers to conduct risk evaluations and build protections into their product blueprints to mitigate cyber threats. The roadmap recommended prioritizing the use of memory-safe programming languages and making tough decisions to prioritize customer protection over adopting insecure features.

The public and stakeholders have until December 2 to submit feedback on the catalog of bad practices via the Federal Register. This call for feedback aims to gather input on enhancing product security and safeguarding critical infrastructure from cyber threats. By following the guidance provided by CISA and the FBI, software providers can contribute to a more secure digital ecosystem that protects national security and critical infrastructure sectors.

Link na izvor