Product Security Bad Practice Product Security Bad Practice

TLP:CLEAR

Overview

As outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure by Design initiative, software manufacturers should ensure that security is a core consideration from the onset of software development and throughout the entirety of the development lifecycle. This voluntary guidance provides an overview of product security bad practices that are considered exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs). This guidance also provides recommendations for software manufacturers to mitigate these risks.

CISA and the Federal Bureau of Investigation (FBI)—hereafter referred to as the authoring organizations—developed this guidance to urge software manufacturers to reduce customer risk by prioritizing security throughout the product lifecycle. This document is intended for software manufacturers who develop software products and services, including on-premises software, cloud services, and software as a service (SaaS). This also applies to software products that run on operational technology (OT) products or embedded systems. The authoring organizations strongly encourage all software manufacturers to avoid these product security bad practices. By following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key secure by design principle. The guidance contained in this document is non-binding, and while the authoring organizations encourage avoiding these bad practices, this document imposes no requirement to do so.

The bad practices are divided into three categories.

  1. Product properties, which describe the observable, security-related qualities of a software product.
  2. Security features, which describe the security functionalities that a product supports.
  3. Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.

This list is focused and does not include every possible inadvisable cybersecurity practice. The lack of inclusion of any particular cybersecurity practice does not indicate that the authoring organizations endorse or deem such a practice to present acceptable levels of risk. Items present in this list were chosen based on the threat landscape as representing the most dangerous and pressing bad practices that software manufacturers should avoid.

Please click here to read more detail

TLP:CLEAR