In a move to bolster secure software development, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly released the Product Security Bad Practices catalog for public review. The document highlights risky software development practices and offers guidelines for mitigating these risks, with a specific focus on software manufacturers serving critical infrastructure or national critical functions (NCFs).
The public comment period for the catalog opened recently and will run until December 2, 2024. This window allows stakeholders to provide feedback and contribute to refining the guidance provided in the catalog.
Aligned with the National Cybersecurity Strategy, the release of this catalog marks a strategic effort to shift the responsibility of safeguarding cyberspace to software manufacturers. The strategy underscores the fact that many cybersecurity vulnerabilities stem from poor software development practices, particularly in critical systems. By steering clear of these bad practices, manufacturers can significantly enhance overall cybersecurity and contribute to building a secure digital infrastructure.
CISA Director Jen Easterly emphasized the importance of addressing software defects that continue to leave critical infrastructure vulnerable to cyberattacks. Easterly stressed the voluntary nature of the guidance while stressing the need for manufacturers to prioritize security in their products. White House National Cyber Director Harry Coker Jr. echoed these sentiments, urging the private sector to take responsibility for building secure products to safeguard national security and everyday American lives.
The FBI, through Assistant Director Bryan Vorndran, underscored the necessity of steering clear of bad practices in software development, especially for systems used in critical infrastructure. Vulnerabilities in such systems can pose serious risks to national security and the general populace. Both the FBI and CISA called on software manufacturers to heed the guidelines in the catalog to prevent malicious exploitation of vulnerabilities.
This move by CISA and the FBI is part of CISA’s Secure by Design initiative, a collaborative effort supported by multiple U.S. and international agencies. Over 220 manufacturers have already committed to adopting best practices in security through CISA’s Secure by Design Pledge. The Product Security Bad Practices catalog builds on previous initiatives like the NIST Secure Software Development Framework (SSDF) and is designed to serve as a central guiding document for future actions under the Secure by Design initiative.
The catalog is structured into three key categories: Product Properties, Security Features, and Organizational Processes and Policies. It aims to highlight the most critical bad practices that software manufacturers should avoid, based on the current threat landscape. Notable bad practices included in the catalog range from using memory-unsafe languages to including default passwords and allowing user-provided input in SQL query strings.
In conclusion, the release of the Product Security Bad Practices catalog represents a significant step towards enhancing software security, particularly in critical infrastructure sectors. By outlining and discouraging risky practices, CISA and the FBI aim to steer software manufacturers towards safer development practices. Public feedback is crucial to ensuring the catalog’s relevance and effectiveness in improving software security standards industry-wide.