CISA and FBI Publish Product Security Bad Practices

On October 16, 2024, the U.S. Cybersecurity and Infrastructure Security Agency ("CISA") and the Federal Bureau of Investigation ("FBI") published guidance on Product Security Bad Practices (the "Guidance") that identifies "exceptionally risky" product security practices for software manufacturers. The Guidance states that the ten identified practices-categorized as (1) Product Properties, (2) Security Features, or (3) Organizational Processes and Policies-are "dangerous and significantly elevate[] risk to national security, national economic security, and national public health and safety."

The Guidance offers recommendations to remediate each of the identified practices and states that adoption of the recommendations indicates software manufacturers "are taking ownership of customer security outcomes." Provided below are the ten practices and associated recommendations.

I. Product Properties

• Development Not in Memory Safe Languages - The Guidance recommends software manufacturers protect against "memory safety vulnerabilities," such as through the use of a memory safe language or protective hardware.

• Inclusion of User-Provided Input in SQL Query Strings - The Guidance encourages product designs "that systematically prevent the introduction of SQL injection vulnerabilities, such as by consistently enforcing the use of parametrized queries."

• Inclusion of User-Provided Input in Operating System Command Strings - The Guidance recommends product designs "that systematically prevent[] command injection vulnerabilities, such as by consistently ensuring that command inputs are clearly delineated from the contents of a command itself."

• Presence of Default Passwords - The Guidance suggests the use of (among others) "instance-unique initial passwords," requiring users to create new passwords during installation, and "time-limited setup passwords."

• Presence of Known Exploited Vulnerabilities - The Guidance states that known exploited vulnerabilities ("KEV") should be patched before a product is deployed. The Guidance also recommends that software manufacturers should offer a free and timely patch to customers when CISA's catalog introduces a new KEV and advise customers "of the associated risks of not installing the patch."

• Presence of Open Source Software with Known Exploitable Vulnerabilities - The Guidance encourages software manufacturers to make "a reasonable effort to evaluate and secure their open source software dependencies." In particular, the Guidance recommends to conduct security scans on the initial and subsequent versions of open source software that are incorporated into the product and "[r]outinely monitor for Common Vulnerabilities and Exposures (CVEs) or other security-relevant alerts . . . in all open source software dependencies and update them as necessary," among other recommended steps. The Guidance further encourages the use of "a software bill of materials" to offer to customers.

II. Security Features

• Lack of Multifactor Authentication - The Guidance notes that multifactor authentication should be supported and required specifically for administrators.

• Lack of Capability to Gather Evidence of Intrusions - The Guidance states that "software manufacturers should make logs available in an industry-standard format" and "[f]or cloud service providers and SaaS products, software manufacturers should retain logs for a set timeframe (at least 6 months) at no additional charge."

III. Organizational Processes and Policies

• Failing to Publish Timely CVEs with CWEs - The Guidance encourages software manufacturers to timely release critical vulnerabilities and exposures "for all critical or high impact vulnerabilities."

• Failing to Publish a Vulnerability Disclosure Policy - The Guidance recommends software manufacturers release a vulnerability disclosure policy ("VDP") which identifies a reporting system, permits public testing of the product, and "[c]ommits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP." The Guidance also notes that "[s]oftware manufacturers should remediate all valid reported vulnerabilities in a timely and risk-prioritized manner."

The Product Security Bad Practices Catalogue is open for public comment until December 16, 2024. While the Guidance's list of bad practices and recommendations are non-binding, the practices are labeled as "the most dangerous and pressing bad practices" to avoid. The release of the Guidance evidences the continued focus on Secure by Design and is consistent with the U.S. government's focus on shifting liability to software manufacturers.