ADVERTISEMENT

FBI and CISA alert software vendors: stop hardcoding secrets, use secure cryptography

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are urging vendors to prioritize security to reduce customer risk. The updated guidance for critical software vendors adds three bad practices and other recommendations.

Hacker coding

By Shutterstock

Ernestas Naprys
Ernestas Naprys Senior Journalist
Jan 20, 2025 1 min read
  • The use of known insecure or outdated cryptographic algorithms, or lack of encryption for the transit or storage of sensitive information. CISA recommends avoiding utilizing Transport Layer Security (TLS) 1.0/1.1, MD5, SHA-1, and Data Encryption Standard (DES). Software manufacturers should begin supporting standardized post-quantum cryptographic algorithms consistent with NIST guidance. All websites should use modern TLS encryption.
  • Hardcoded credentials or secrets in the source code of software used for critical infrastructure. Vendors should use a secure secret manager that allows retrieving secrets securely, and use scanning for the presence of secrets or credentials in the code.
  • Not clearly communicating product support period. The documents recommend that software vendors clearly communicate the period of support for their products at the time of sale and provide security updates throughout the support period.
ADVERTISEMENT
vilius Konstancija Gasaityte Gintaras Radauskas Paulius Grinkevičius B&W
Get our latest stories today on Google News
Add us as your Preferred Source on Google.
ADVERTISEMENT