CISA Seeks Feedback on Upcoming Product Security Flaws Guidance
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a request for comment on its draft Product Security Bad Practices guidance.
This upcoming guidance, developed as part of CISA’s Secure by Design initiative, will provide an overview of product security practices deemed exceptionally risky, particularly for organizations supporting critical national infrastructure (CNI) or national critical functions (NCFs).
It will list recommendations for software manufacturers developing software products and services, including on-premises software, cloud services and software as a service (SaaS), to voluntarily mitigate these risks. These recommendations are non-binding.
Product Properties, Security Features and Organizational Policies
The Product Security Bad Practices guidance, drafted by CISA’s Cybersecurity Division (CSD) and co-sealed with the FBI, currently includes three categories:
- Product properties, which describe the observable security-related qualities of a software product itself (e.g. default passwords, critical known exploitable vulnerabilities)
- Security features, which describe the security functionalities that a product supports (e.g. unsupported multifactor authentication, unavailable audit logs)
- Organizational processes and policies, which describe actions taken by a software manufacturer to ensure transparency in its approach to security (e.g. lack of vulnerability disclosure policy, lack of vulnerability reporting)
CISA said it would like stakeholders to provide feedback on this list and input on analysis or approaches currently absent from the guidance.
CISA’s Secure by Design initiative is a strategic approach aimed at fostering a culture where cybersecurity is a fundamental consideration from the very inception of product development.
“By choosing to follow the recommendations in the draft guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key secure by design principle,” said the agency.
People interested in contributing to the guidance should do so by December 2, 2024.
Read more: Security By Design – A Promising Approach to Cybersecurity