cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Product Security Bad Practices

Hi All

 

As outlined in CISA’s Secure by Design initiative, software manufacturers should ensure that security is a core consideration from the onset of software development. This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs) and provides recommendations for software manufacturers to mitigate these risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) (hereafter referred to as the authoring organizations) developed this guidance to urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. This document is intended for software manufacturers who develop software products and services—including on-premises software, cloud services, and software as a service (SaaS)—used in support of critical infrastructure or NCFs. The authoring organizations strongly encourage all software manufacturers to avoid these product security bad practices. By following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key Secure by Design principle. The guidance contained in this document is non-binding and while CISA encourages organizations to avoid these bad practices, this document imposes no requirement on them to do so.

 

https://www.cisa.gov/resources-tools/resources/product-security-bad-practices

 

Regards

 

Cautim_Cautim

2 Replies
Steve-Wilme
Advocate II

Maybe penalties should apply to software vendors rather than customers who license off the shelf software that has vulnerabilities.  It's probably not realistic for customers to assess the security of closed source products and assurance approaches using SOC2 or similar approach are point in time.  The costs should be carried by the vendors and 'buyer beware' simply doesn't work with any reasonably complex product.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
funkychicken
Contributor I

Well today I have been talking to a company about the new NIST2 standards for OT network and data for analysis being sent to a cloud company. I found out that the HTTPS session could be jumped on to allow them back into the network using a reverse shell which they claimed to used for support. After a long conversation, their software needs a re-write and split out into 2 different applications instead of 1. I think this just goes to show that companies have not considered security for a long time and sometimes a complete re-design is the only option sometimes.