The FBI and the Cybersecurity and Infrastructure Security Agency have released the Product Security Bad Practices catalog for public comment.
CISA said Wednesday the catalog details the risky practices that should be avoided by software manufacturers because of the potential threat they pose against critical infrastructure or national critical functions. The bad practices are categorized into three areas—product properties, security features and organizational processes and policies. The catalog also provides recommendations on how to build secure software.
Public comments will be accepted through the Federal Register at the request for comment on Product Security Bad Practices guidance page until Dec. 2. CISA will evaluate the feedback and make the necessary revisions to the catalog.
CISA Director Jen Easterly, a 2024 Wash100 Award winner, highlighted the risks posed by preventable software defects against critical infrastructure.
“These product security bad practices pose unacceptable risks in this day and age and yet are all too common. We hope that by following this clear-cut, voluntary guidance, software manufacturers can lead by example in taking ownership of their customers’ security outcomes and fostering a secure by design future,” said Easterly.
According to National Cyber Director Harry Coker, Jr., product security bad practices result in wide-ranging consequences often felt by Americans.
“Our private sector partners must shoulder their responsibility and build secure products and I’m glad to see this document as another tool to help software manufacturers do just that,” stated Coker Jr. “We need to work together to prioritize best practices to better protect our nation.”
Join the Potomac Officers Club’s 2024 Homeland Security Summit to learn more about the country’s most significant threats and what’s being done to thwart them.
