WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released the Product Security Bad Practices for public comment today. This catalog outlines practices that are deemed exceptionally risky and provides recommendations for software manufacturers to mitigate these risks. It urges software manufacturers to avoid these bad practices, especially those who produce software used in service of critical infrastructure or national critical functions (NCFs). Members of the public may submit public comment on this guidance starting today.
The National Cybersecurity Strategy calls for a fundamental shift to rebalance the responsibility to defend cyber space onto those best positioned to bear it; namely, the software manufacturers who build products underpinning our collective digital infrastructure. Fully realizing this shift requires an understanding of the most egregious software development practices that software manufacturers must avoid. This catalog enumerates such practices.