Reposted from CISA/DHS

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation released revised Product Security Bad Practices, a guide with practices that are deemed especially risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs). This joint guide does not include every possible inadvisable cybersecurity practice, nor does it impose any implementation requirement. This revised joint guide includes feedback from public comment period in late 2024. The updates include new bad practices, additional context, and clarifications such patching for Known Exploited Vulnerabilities and software manufactures support phishing-resistant multifactor authentication. 

The bad practices in this guide are divided into three categories and focused based on threat landscape. The categories are:  

·       Product properties listed describe observable, security-related qualities of a software product. 

·       Security features listed describe the security functionalities that a product supports.  

·       Organizational processes and policies listed describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security. 

 

Software products and services that manufacturers should consider when applying this joint guide include on-premises software, cloud services, and software as a service. The lack of inclusion of any particular cybersecurity practice does not indicate that CISA endorses such a practice or deems such a practice to present acceptable levels of risk. Manufacturers who develop software products and services used in support of critical infrastructure or NCFs are strongly encouraged to review and implement recommended actions.  

See Original Post