
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are urging vendors to prioritize security to reduce customer risk. The updated guidance for critical software vendors adds three bad practices and other recommendations.
The agencies updated joint guidance that defines bad security practices to incorporate additional information and context.
The three new bad practices include the following:
- The use of known insecure or outdated cryptographic algorithms, or lack of encryption for the transit or storage of sensitive information. CISA recommends avoiding utilizing Transport Layer Security (TLS) 1.0/1.1, MD5, SHA-1, and Data Encryption Standard (DES). Software manufacturers should begin supporting standardized post-quantum cryptographic algorithms consistent with NIST guidance. All websites should use modern TLS encryption.
- Hardcoded credentials or secrets in the source code of software used for critical infrastructure. Vendors should use a secure secret manager that allows retrieving secrets securely, and use scanning for the presence of secrets or credentials in the code.
- Not clearly communicating product support period. The documents recommend that software vendors clearly communicate the period of support for their products at the time of sale and provide security updates throughout the support period.
The document now identifies 13 bad software development practices in total, such as using memory-unsafe languages, leaving open command injection vulnerabilities, including known exploited vulnerabilities at release, using inadequate authentication approaches, and others.
The guidance also stresses the importance of implementing phishing-resistant multi-factor authentication and patching known exploited vulnerabilities in a timely manner, no longer than 30 days from the date on which a patch for the component containing the KEV is made available.
This voluntary guidance is aimed at preventing software development practices that are considered exceptionally risky, especially when the products are used for critical infrastructure or national critical functions.
Your email address will not be published. Required fields are markedmarked