CISA and FBI publish guidance on product security bad practices

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released detailed guidance aimed at software manufacturers to enhance security across the product lifecycle. This document applies to all software products and services, including on-premises software, cloud services, Software as a Service (SaaS), operational technology (OT), and embedded systems. While non-binding, the guidance encourages manufacturers to adopt secure-by-design principles and reduce risks for their customers by avoiding specific bad practices.

The guidance reflects feedback from 78 public comments and introduces three new bad practices:

1. Using known insecure or outdated cryptographic functions.
2. Hardcoded credentials.
3. Insufficient product support periods.

Updates also include:

• Enhanced context on memory safety and multi-factor authentication (MFA), particularly for OT products.
• New examples of actions to prevent SQL injection and command injection vulnerabilities.
• Clear timelines for addressing Known Exploited Vulnerabilities (KEVs).

Some of the recommendation actions to software manufacturers specifically address the critical infrastructure protection. For instance, Software manufacturers are urged to:

• Prevent command injection vulnerabilities: Use library functions, sanitize inputs with restrictive allowlists, and delineate command inputs.
• Eliminate default passwords: Implement instance-unique, random passwords; enforce secure credentials during setup; and support phishing-resistant MFA.
• Patch Known Exploited Vulnerabilities (KEVs): Issue free patches within 30 days of a KEV’s inclusion in CISA’s catalog and communicate risks to users.
• Support Open Source Software (OSS): Contribute responsibly and sustainably to open-source projects relied upon.

By following this guidance, manufacturers signal their commitment to customer security and contribute to a safer software ecosystem.