In partnership with the Federal Bureau of Investigation (FBI), CISA released an update to joint guidance Product Security Bad Practices in furtherance of CISA’s Secure by Design initiative. This updated guidance incorporates public comments CISA received in response to a Request for Information, adding additional bad practices, context regarding memory-safe languages, clarifying timelines for patching Known Exploited Vulnerabilities (KEVs), and other recommendations.
While this voluntary guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices.
CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA’s Secure by Design webpage or learn how to take CISA’s Secure by Design Pledge.
Brief
On 17/01/2025, the Cybersecurity and Infrastructure Security Agency issued an update regarding CISA and FBI Release Updated Guidance on Product Security Bad Practices. The updated guidance includes additional bad practices, clarifies timelines for patching Known Exploited Vulnerabilities (KEVs), and provides recommendations for software manufacturers to reduce customer risk by prioritizing security throughout the product development process.
Highlights content goes here...
Purpose
The primary objective behind this update is to provide software manufacturers with a comprehensive guide on product security bad practices, furthering CISA’s Secure by Design initiative. This updated guidance aims to educate and advise software developers on best practices to reduce customer risk and enhance overall product security.
Effects on Industry
This update has significant implications for the software manufacturing industry, as it explicitly highlights 23 new product security bad practices that can lead to vulnerabilities in products and services. The incorporation of additional bad practices, context regarding memory-safe languages, and clarified timelines for patching KEVs will require software manufacturers to reassess their development processes and prioritize security throughout the product development lifecycle. As a result, this update is expected to have a substantial impact on the industry, with software manufacturers needing to adapt to these new guidelines to avoid potential risks.
Relevant Stakeholders
This update affects all software manufacturers who develop products and services in support of critical infrastructure. This includes companies that provide software solutions for various sectors such as finance, healthcare, energy, and transportation. Additionally, this guidance also applies to developers working on non-critical infrastructure projects, as they are strongly encouraged to adhere to these best practices to ensure their products meet the necessary security standards.
Next Steps
To comply with this update, software manufacturers are urged to take the following steps: 1) Review and implement the updated product security bad practices; 2) Prioritize security throughout the product development process; and 3) Consider taking CISA’s Secure by Design Pledge. Furthermore, software developers can visit CISA’s Secure by Design webpage for more information and resources on how to secure their products and services.
Any Other Relevant Information
In addition to this update, CISA encourages software manufacturers to take a proactive approach to security by implementing Secure by Design principles. This includes prioritizing security throughout the product development lifecycle and ensuring that all products and services meet necessary security standards. By doing so, software manufacturers can reduce customer risk, enhance overall product security, and contribute to a more secure digital ecosystem.
