web analytics

CISA, FBI Seek Public Comment on Software Security Bad Practices Guidance – Source: www.securityweek.com

cisa,-fbi-seek-public-comment-on-software-security-bad-practices-guidance-–-source:-wwwsecurityweek.com
Rate this post

Source: www.securityweek.com – Author: Ionut Arghire

The US cybersecurity agency CISA and the FBI have released new guidance on security bad practices for software manufacturers and are inviting the public to provide feedback on it.

The guidance urges the makers of software and services for the critical infrastructure or national critical functions (NCFs) to prioritize security throughout the development process and reduce customer security risks.

It offers an overview of product security bad practices considered exceptionally risky and provides recommendations for mitigating them, in line with CISA’s Secure by Design initiative.

“The guidance contained in this document is non-binding and while CISA encourages organizations to avoid these bad practices, this document imposes no requirement on them to do so,” the agency notes.

The authoring agencies have divided the product security bad practices into three categories, namely product properties, security features, and organizational processes and policies.

Bad practices related to product properties, or the security-related qualities of software, include the use of memory-unsafe languages, the inclusion of use input in SQL query and operating system command strings, the use of default passwords, and the use of components that contain known vulnerabilities or issues listed in CISA’s KEV catalog.

When it comes to security features, bad practices include the lack of multi-factor authentication (MFA) and the lack of capabilities to gather evidence of intrusion in the baseline version of a product.

Organizational processes and policies refer to software makers’ transparent approach to security, and bad practices include the failure to publish CVEs with CWEs in a timely manner and not having a published vulnerability disclosure policy.

Advertisement. Scroll to continue reading.

“While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices,” CISA notes.

The authoring agencies are encouraging interested parties to provide feedback on the guidance by December 2, 2024, via the Federal Register.

Related: CISA Releases Cyber Defense Alignment Plan for Federal Agencies

Related: MFA Isn’t Failing, But It’s Not Succeeding: Why a Trusted Security Tool Still Falls Short

Related: ICS Environments: Insecure by Design

Related: Today’s Network Is Different, Not Dead – Here’s How You Secure It

Original Post URL: https://www.securityweek.com/cisa-fbi-seek-public-comment-on-software-security-bad-practices-guidance/

Category & Tags: Application Security,Government,CISA,guidance – Application Security,Government,CISA,guidance

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
WILEY
Cybercrime Investigators Handbook by WILEY
Cybercrime Investigators Handbook by WILEY
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE
Federal Office for Information Security
El estado de la seguridad informática en Alemania en 2023
El estado de la seguridad...
Microsoft
GDPR & Generative AI
GDPR & Generative AI
European Union Agency for Fundamental Rights
GDPR IN PRACTICE
GDPR IN PRACTICE
FS.ISAC
Navigating Cyber
Navigating Cyber
KPMG
Fraud risk management
Fraud risk management
CYFIRMA
Fletchen Stealer
Fletchen Stealer
IGNITE Technologies
FILE TRANSFER CHEAT SHEET
FILE TRANSFER CHEAT SHEET
Securesee
CYBER CRISIS INVESTIGATION AND MANAGEMENT
CYBER CRISIS INVESTIGATION AND MANAGEMENT
ACN
Guidelines for secure AI system development
Guidelines for secure AI system...
Incibe
Ciberseguridad en Smart Toys
Ciberseguridad en Smart Toys

More Latest Published Posts

Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos
INNOVERY
RESILIENCIA
RESILIENCIA
CEH
Certifications Preparation Guide
Certifications Preparation Guide
Sandhya Kaushik
Checklist for Securing Your Android Apps
Checklist for Securing Your Android Apps
aDvens
May Cyber Threat Intelligence monthly report
May Cyber Threat Intelligence monthly report
Insikt Group
Caught in the Net
Caught in the Net
IGNITE Technologies
BURP SUITE FOR PENTESTER TURBO INTRUDER
BURP SUITE FOR PENTESTER TURBO INTRUDER
SYED ABUTHAHIR
BUG BOUNTY AUTOMATION WITH PYTHON
BUG BOUNTY AUTOMATION WITH PYTHON
Foresiet
Brand Impersonation Attacks
Brand Impersonation Attacks
Google Cloud
Board of Directors Handbook for Cloud Risk Governance
Board of Directors Handbook for Cloud Risk Governance
ISACA
Blueprint for Ransomware Defense
Blueprint for Ransomware Defense