Maybe penalties should apply to software vendors rather than customers who license off the shelf software that has vulnerabilities.  It's probably not realistic for customers to assess the security of closed source products and assurance approaches using SOC2 or similar approach are point in time.  The costs should be carried by the vendors and 'buyer beware' simply doesn't work with any reasonably complex product.

Well today I have been talking to a company about the new NIST2 standards for OT network and data for analysis being sent to a cloud company. I found out that the HTTPS session could be jumped on to allow them back into the network using a reverse shell which they claimed to used for support. After a long conversation, their software needs a re-write and split out into 2 different applications instead of 1. I think this just goes to show that companies have not considered security for a long time and sometimes a complete re-design is the only option sometimes. 

---

@Caute_cautim wrote:

Hi All

 

As outlined in CISA’s Secure by Design initiative, software manufacturers should ensure that security is a core consideration from the onset of software development. This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs) and provides recommendations for software manufacturers to mitigate these risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) (hereafter referred to as the authoring organizations) developed this guidance to urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. This document is intended for software manufacturers who develop software products and services—including on-premises software, cloud services, and software as a service (SaaS)—used in support of critical infrastructure or NCFs. The authoring organizations strongly encourage all software manufacturers to avoid these product security bad practices. By following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key Secure by Design principle. The guidance contained in this document is non-binding and while CISA encourages organizations to avoid these bad practices, this document imposes no requirement on them to do so.

 

https://www.cisa.gov/resources-tools/resources/product-security-bad-practicesezpass ma

Regards

 

Cautim_Cautim

---

CISA's Secure by Design initiative encourages software manufacturers to prioritize security from the start of development, especially for software used in critical infrastructure. This guidance outlines risky security practices and offers recommendations to help manufacturers reduce customer risks and enhance security outcomes.