- You need a router-based VPN in 2025. Here's why and how to set one up
- You need a router-based VPN in 2025. How why and how to set one up
- How To Fight Scattered Spider Impersonating Calls to The IT Help Desk
- How to upgrade your 'incompatible' Windows 10 PC to Windows 11 in 2025
- Can you still get a Windows 10 upgrade for free in 2025? Short answer: Maybe
CISA Seeks Feedback on Upcoming Product Security Flaws Guidance
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a request for comment on its draft Product Security Bad Practices guidance.
This upcoming guidance, developed as part of CISA’s Secure by Design initiative, will provide an overview of product security practices deemed exceptionally risky, particularly for organizations supporting critical national infrastructure (CNI) or national critical functions (NCFs).
It will list recommendations for software manufacturers developing software products and services, including on-premises software, cloud services and software as a service (SaaS), to voluntarily mitigate these risks. These recommendations are non-binding.
Product Properties, Security Features and Organizational Policies
The Product Security Bad Practices guidance, drafted by CISA’s Cybersecurity Division (CSD) and co-sealed with the FBI, currently includes three categories:
- Product properties, which describe the observable security-related qualities of a software product itself (e.g. default passwords, critical known exploitable vulnerabilities)
- Security features, which describe the security functionalities that a product supports (e.g. unsupported multifactor authentication, unavailable audit logs)
- Organizational processes and policies, which describe actions taken by a software manufacturer to ensure transparency in its approach to security (e.g. lack of vulnerability disclosure policy, lack of vulnerability reporting)
CISA said it would like stakeholders to provide feedback on this list and input on analysis or approaches currently absent from the guidance.
CISA’s Secure by Design initiative is a strategic approach aimed at fostering a culture where cybersecurity is a fundamental consideration from the very inception of product development.
“By choosing to follow the recommendations in the draft guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key secure by design principle,” said the agency.
People interested in contributing to the guidance should do so by December 2, 2024.
Read more: Security By Design – A Promising Approach to Cybersecurity
