CISA Seeks Public Input on Product Security Guidance
/ 4 min read
Quick take - The Cybersecurity and Infrastructure Security Agency (CISA) is soliciting public feedback until December 16, 2024, to inform its upcoming Product Security Bad Practices guidance, which aims to identify hazardous software development practices and promote safer development processes within the context of its Secure by Design initiative.
Fast Facts
- CISA is seeking public input on its upcoming Product Security Bad Practices guidance, with comments due by December 16, 2024, as part of its Secure by Design initiative.
- The guidance aims to identify hazardous software development practices, particularly for software used in critical infrastructure and national critical functions.
- Key areas of concern include product properties (e.g., use of memory-safe languages), security features (e.g., implementation of multi-factor authentication), and organizational processes (e.g., timely vulnerability disclosures).
- The guidance is non-binding and encourages manufacturers to avoid identified bad practices without imposing legal obligations.
- CISA emphasizes the importance of timely patches, responsible management of open-source components, and the need for a vulnerability disclosure policy to enhance overall software security.
CISA Seeks Public Input on Product Security Bad Practices Guidance
The Cybersecurity and Infrastructure Security Agency (CISA) is actively seeking public input to shape its forthcoming Product Security Bad Practices guidance. The deadline for submitting comments is December 16, 2024. This guidance is a pivotal element of CISA’s Secure by Design initiative, which emphasizes the importance of embedding security measures into the software development process from the outset.
Identifying Hazardous Practices
The guidance is designed to pinpoint particularly hazardous software development practices, especially concerning software used in critical infrastructure or national critical functions (NCFs). It targets software manufacturers across a wide range of products, including on-premises software, cloud services, and software as a service (SaaS). Notably, the guidance is non-binding and does not impose legal obligations on organizations; instead, it encourages the avoidance of identified bad practices.
CISA has categorized the identified bad practices into three main areas: product properties, security features, and organizational processes and policies. The list of bad practices is not exhaustive and does not suggest that practices not included are endorsed by CISA. The recommendations are informed by the current threat landscape and highlight significant risks for software manufacturers.
Key Areas of Concern
In terms of product properties, several key areas are identified:
- Development in memory-unsafe languages such as C or C++ is considered risky for products related to critical infrastructure or NCFs. Manufacturers are encouraged to use memory-safe languages whenever possible.
- Existing products developed in memory-unsafe languages must have a memory safety roadmap published by January 1, 2026, outlining plans to mitigate vulnerabilities.
- The inclusion of user-provided input in SQL query strings is another significant risk. Manufacturers should use parameterized queries to protect against SQL injection vulnerabilities.
- User-provided input in operating system command strings should be clearly delineated to prevent exploitation.
- The presence of default passwords in products is identified as dangerous. Manufacturers should either provide unique initial passwords or require strong passwords during installation.
- Products must not be released with known exploitable vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and timely patches should be made available for any new vulnerabilities that arise.
- Open-source software components with known vulnerabilities should be managed responsibly, necessitating the maintenance of a software bill of materials (SBOM) and conducting regular security scans.
Enhancing Security Features and Processes
Regarding security features, the lack of multi-factor authentication (MFA) is considered risky. Manufacturers should implement MFA in baseline versions and make it a requirement for administrative access. Products should also be equipped with capabilities to gather evidence of potential intrusions, including maintaining logs of configuration changes, identity flows, and data access.
In the area of organizational processes and policies, timely publication of Common Vulnerabilities and Exposures (CVEs) for critical vulnerabilities is essential. Manufacturers are urged to include the Common Weakness Enumeration (CWE) field in their CVE records. A published vulnerability disclosure policy is recommended, which should authorize public testing, provide a clear reporting channel, and facilitate public disclosure of vulnerabilities. Manufacturers are encouraged to remediate reported vulnerabilities in a timely and prioritized manner to enhance overall security.
CISA’s upcoming guidance seeks to strengthen the security of software products by highlighting risky practices and advocating for safer development and operational processes. By engaging the public in the comment process, CISA aims to refine its recommendations and promote a more secure software ecosystem.
Original Source: Read the Full Article Here
