The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have taken a significant step forward in promoting secure software development by releasing the Product Security Bad Practices catalog for public comment.
This document identifies software development practices deemed particularly risky and provides guidelines for mitigating these risks. It calls on software manufacturers, particularly those producing software for critical infrastructure or national critical functions (NCFs), to avoid these bad practices to strengthen overall cybersecurity.
The public comment period opens today and runs until Monday, December 2, 2024, giving stakeholders a chance to provide input and contribute to refining this guidance.
National Cybersecurity Strategy and the Call for Secure Software
The release of this catalog aligns with the National Cybersecurity Strategy, which aims to shift the responsibility for defending cyberspace onto the entities best positioned to manage it—namely, the software manufacturers. As the strategy highlights, many of the most dangerous cybersecurity vulnerabilities stem from poor software development practices. To fully realize a secure digital infrastructure, manufacturers must avoid these practices, especially when their products are used in critical systems.
CISA Director Jen Easterly stressed the urgency of addressing these risks, noting that “it’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop.” Easterly emphasized that the guidance provided in the catalog is voluntary but designed to encourage software manufacturers to take ownership of their customers’ security and contribute to a future where security is built into software by design.
White House National Cyber Director Harry Coker Jr. echoed this sentiment, pointing to the wide-ranging consequences of poor software security practices and their impact on national security and everyday American lives. He urged the private sector to take its responsibility seriously, saying, “Our private sector partners must shoulder their responsibility and build secure products.”
FBI’s Call for Secure Software Practices
Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, also underscored the importance of avoiding bad practices in software development. According to Vorndran, software used in critical infrastructure must be held to a high standard because vulnerabilities in such systems put both national security and everyday users at risk. The FBI, like CISA, urged software manufacturers to avoid the risky practices outlined in the catalog to prevent vulnerabilities from being exploited by malicious actors.
Secure by Design Initiative
The release of the Product Security Bad Practices catalog is a continuation of CISA’s Secure by Design initiative, a global effort supported by 18 U.S. and international agencies. This initiative encourages software manufacturers to adopt best practices in security and has already secured commitments from over 220 manufacturers through CISA’s Secure by Design Pledge.
The new catalog builds on previous efforts, such as the NIST Secure Software Development Framework (SSDF), and is intended to serve as a central guiding document for future actions under the Secure by Design initiative.
Structure of the Product Security Bad Practices Catalog
The catalog is divided into three major categories:
- Product Properties: This refers to observable, security-related qualities of a software product. These properties should be built into software to ensure it operates securely under various conditions.
- Security Features: This section outlines the security functionalities a product should support. These features are essential for protecting software from unauthorized access, malicious use, and exploitation.
- Organizational Processes and Policies: This category focuses on the internal processes of software manufacturers, particularly their transparency and commitment to security in their development approach.
The catalog does not claim to be exhaustive; rather, it focuses on the most dangerous and pressing bad practices that software manufacturers must avoid based on the current threat landscape. The absence of a practice from the list does not mean that it is acceptable—CISA simply prioritized the most critical issues for inclusion in this document.
Specific Bad Practices Highlighted
Some of the notable bad practices mentioned include:
- Development in Memory-Unsafe Languages: The use of memory-unsafe languages like C or C++ in software intended for critical infrastructure introduces significant vulnerabilities. Software manufacturers are urged to transition to memory-safe languages and publish a memory safety roadmap by January 1, 2026.
- Inclusion of User-Provided Input in SQL Query Strings: Products that allow raw SQL queries based on user input are highly vulnerable to SQL injection attacks. The catalog recommends enforcing the use of parameterized queries to mitigate this risk.
- Presence of Default Passwords: Releasing products with default passwords significantly elevates security risks, particularly in critical infrastructure. Manufacturers are urged to eliminate default passwords and enforce stronger authentication measures, such as multi-factor authentication (MFA).
- Known Exploited Vulnerabilities: Products released with known vulnerabilities that are listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog are dangerous. Software manufacturers must ensure that these vulnerabilities are patched prior to release and continue to issue timely updates if new vulnerabilities are discovered post-release.
- Open Source Software with Vulnerabilities: Using open-source components with known vulnerabilities presents significant risks. Software manufacturers are advised to maintain a software bill of materials (SBOM), regularly scan for vulnerabilities, and issue timely patches.
The Product Security Bad Practices catalog represents a critical tool for improving software security across industries, particularly in sectors tied to critical infrastructure. By outlining the most dangerous practices to avoid, CISA and the FBI aim to guide software manufacturers toward safer development practices. Public comment is encouraged to ensure the catalog remains relevant and effective.
