On October 16, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) published guidance on Product Security Bad Practices (the “Guidance”) that identifies “exceptionally risky” product security practices for software manufacturers. The Guidance states that the ten identified practices—categorized as (1) Product Properties, (2) Security Features, or (3) Organizational Processes and Policies—are “dangerous and significantly elevate[] risk to national security, national economic security, and national public health and safety.”
The Guidance offers recommendations to remediate each of the identified practices and states that adoption of the recommendations indicates software manufacturers “are taking ownership of customer security outcomes.” Provided below are the ten practices and associated recommendations.
I. Product Properties
- Development Not in Memory Safe Languages – The Guidance recommends software manufacturers protect against “memory safety vulnerabilities,” such as through the use of a memory safe language or protective hardware.
- Inclusion of User-Provided Input in SQL Query Strings – The Guidance encourages product designs “that systematically prevent the introduction of SQL injection vulnerabilities, such as by consistently enforcing the use of parametrized queries.”
- Inclusion of User-Provided Input in Operating System Command Strings – The Guidance recommends product designs “that systematically prevent[] command injection vulnerabilities, such as by consistently ensuring that command inputs are clearly delineated from the contents of a command itself.”
- Presence of Default Passwords – The Guidance suggests the use of (among others) “instance-unique initial passwords,” requiring users to create new passwords during installation, and “time-limited setup passwords.”
- Presence of Known Exploited Vulnerabilities – The Guidance states that known exploited vulnerabilities (“KEV”) should be patched before a product is deployed. The Guidance also recommends that software manufacturers should offer a free and timely patch to customers when CISA’s catalog introduces a new KEV and advise customers “of the associated risks of not installing the patch.”
- Presence of Open Source Software with Known Exploitable Vulnerabilities – The Guidance encourages software manufacturers to make “a reasonable effort to evaluate and secure their open source software dependencies.” In particular, the Guidance recommends to conduct security scans on the initial and subsequent versions of open source software that are incorporated into the product and “[r]outinely monitor for Common Vulnerabilities and Exposures (CVEs) or other security-relevant alerts . . . in all open source software dependencies and update them as necessary,” among other recommended steps. The Guidance further encourages the use of “a software bill of materials” to offer to customers.
Continue Reading CISA and FBI Publish Product Security Bad Practices