CISA and FBI Update Guidance on Risky Software Security Practices

2025-01-22

Learn about the crucial importance of secure software development practices and how addressing risky practices can enhance your pitch for CloudGuard solutions in safeguarding critical infrastructure.

The CISA and FBI have updated their guidance on risky software security practices, emphasizing the need for software manufacturers to prioritize security, especially for critical infrastructure. The guidance highlights practices like using memory-unsafe languages, default passwords, and components with known vulnerabilities, and stresses the importance of multi-factor authentication and timely publication of CVEs. New additions include avoiding hardcoded credentials, outdated cryptographic functions, and improving product support. The updates also provide more examples for preventing SQL and command injection vulnerabilities, with specific recommendations for operational technology products to support phishing-resistant MFA. This guidance aims to help software manufacturers, including those developing on-premises, cloud, and SaaS products, to improve security and signal commitment to customer security outcomes.

Key Facts

Risks:

Patch Management, Hardcoded Secrets, Weak or Compromised Credentials, Web App/Website Vulnerability

Keywords:

Software Security, CISA, FBI, Risky Practices, Multi-Factor Authentication, Cryptographic Functions, Critical Infrastructure

CVE:

N/A

Affected:

N/A

Article Body

Updated Guidance on Risky Software Security Practices

The US cybersecurity agencies CISA and the FBI have issued updated guidance on risky software security practices, aimed at software manufacturers, especially those developing for critical infrastructure. This guidance, known as Product Security Bad Practices, highlights security practices deemed exceptionally risky and provides recommendations on how to address them.

Key Risky Practices

The guidance outlines several risky practices related to product properties, security features, and organizational processes. These include:

Memory-Unsafe Languages: Using programming languages that do not manage memory safely can lead to vulnerabilities.
Default Passwords: Retaining default passwords in software products poses a significant security risk.
Known Vulnerabilities: Incorporating components with known vulnerabilities can expose systems to attacks.
Lack of Multi-Factor Authentication (MFA): Not implementing MFA weakens security, making unauthorized access easier.
Insufficient Logging: Failing to log security-relevant events limits the ability to detect and respond to incidents.

New Additions and Recommendations

The updated guidance introduces three new risky practices:

Hardcoded Credentials: Embedding fixed credentials within software can be easily exploited by attackers.
Insecure or Outdated Cryptographic Functions: Using weak or outdated cryptographic methods endangers data security.
Product Support: Inadequate support for software products can leave vulnerabilities unaddressed.

Moreover, the update includes more examples on preventing SQL injection and command injection vulnerabilities. It also revises the MFA section with recommendations specific to operational technology products, advocating for phishing-resistant MFA solutions.

Intended Audience and Implementation

This guidance is intended for software developers creating on-premises, cloud services, and software-as-a-service (SaaS) products. It also applies to software running on operational technology (OT) products or embedded systems. CISA and the FBI urge all software manufacturers to review this guidance to signal their commitment to customer security outcomes, aligning with the secure-by-design principles.

https://www.securityweek.com/cisa-fbi-update-software-security-recommendations/