Press Release

CISA and FBI Release Product Security Bad Practices for Public Comment

Catalog enumerates exceptionally risky practices and provides recommendations for software manufacturers to build software that is secure by design
Released

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released the Product Security Bad Practices for public comment today. This catalog outlines practices that are deemed exceptionally risky and provides recommendations for software manufacturers to mitigate these risks. It urges software manufacturers to avoid these bad practices, especially those who produce software used in service of critical infrastructure or national critical functions (NCFs). Members of the public may submit public comment on this guidance starting today.

The National Cybersecurity Strategy calls for a fundamental shift to rebalance the responsibility to defend cyber space onto those best positioned to bear it; namely, the software manufacturers who build products underpinning our collective digital infrastructure. Fully realizing this shift requires an understanding of the most egregious software development practices that software manufacturers must avoid. This catalog enumerates such practices.

“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop. These product security bad practices pose unacceptable risks in this day and age, and yet are all too common.” said CISA Director Jen Easterly. “We hope that by following this clear-cut, voluntary guidance, software manufacturers can lead by example in taking ownership of their customers’ security outcomes and fostering a secure by design future. Please provide input and let us know how we can improve this list of bad practices.”

“Our National Cybersecurity Strategy highlights the importance of securing our nation’s critical infrastructure and shoring up our cyber defenses,” said White House National Cyber Director Harry Coker Jr. “The impact of product security bad practices has wide-ranging consequences across our nation and is often felt by the American people. Our private sector partners must shoulder their responsibility and build secure products and I’m glad to see this document as another tool to help software manufacturers do just that. We need to work together to prioritize best practices to better protect our nation.”

“Bad practices in software development, especially when that software will be used by critical infrastructure, put both customers and our national security at risk,” said Assistant Director of the FBI’s Cyber Division Bryan Vorndran. “The FBI urges software manufacturers to avoid the risky practices described in this guidance, which lead to vulnerabilities that malicious actors routinely exploit.”

These product security bad practices represent the next major step in CISA and partners’ global Secure by Design initiative, which has joined forces with 18 U.S. and international agencies to publish guidance and catalyzed commitments from over 220 software manufacturers to CISA’s Secure by Design Pledge. The bad practices build on practices laid out in the pledge and other guidance including NIST’s Secure Software Development Framework. This catalog will be a central guiding document in CISA’s Secure by Design initiative going forward, playing a key role informing future guidance and actions.

This joint guidance lists the bad practices in three categories:

  • Product properties, which describe observable, security-related qualities of a software product.
  • Security features, which describe the security functionalities that a product supports.
  • Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.

CISA selected the bad practices based on the threat landscape as representing the most dangerous and pressing items that software manufacturers should avoid.

The public comment period concludes on Monday, December 16, 2024. During the comment period, members of the public can provide comments and feedback via the Federal Register at Request for Comment on Product Security Bad Practices Guidance. Following the public comment period, CISA will issue a revised version of the bad practices.

To learn more about the Secure by Design initiative, visit Secure by Design on CISA.gov.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on XFacebookLinkedIn, Instagram