CISA’s Recommendations to Avoid Bad Software Security Practices

The Cybersecurity and Infrastructure Security Agency (CISA) released guidance under its Secure by Design initiative to promote security-focused software development practices, emphasizing their critical importance in protecting national critical functions (NCFs). CISA urges software manufacturers to integrate security practices throughout the software development lifecycle, particularly for products supporting critical infrastructure. One significant focus is the elimination of memory safety vulnerabilities by adopting memory-safe programming languages like Rust or Swift for new product lines, supported by a memory safety roadmap for existing systems. The roadmap should prioritize high-risk components such as network-facing or cryptographic modules. Addressing SQL injection risks by enforcing parameterized queries or using Object-Relational Mapping (ORM) libraries is another pivotal recommendation aimed at preventing vulnerabilities that threaten both economic security and public health.

Additionally, CISA identifies the persistent use of default passwords in products as a severe security lapse. Instead, manufacturers should enforce unique instance-specific passwords, require users to create strong credentials during setup, or implement secure authentication methods like multi-factor authentication (MFA). Ensuring user-provided input is sanitized to prevent command injection vulnerabilities is another priority, with recommended methods including input allowlists and secure system library functions. These measures collectively aim to establish a secure foundation for software products used in critical sectors.

CISA highlights the dangers of releasing products containing known exploitable vulnerabilities or insecure cryptographic algorithms. Software manufacturers are encouraged to maintain a software bill of materials (SBOM), evaluate open-source components for vulnerabilities, and issue timely patches when risks are identified. Products that fail to adopt modern encryption protocols, such as Transport Layer Security (TLS) 1.2 or newer, or that continue to rely on deprecated algorithms like MD5, SHA-1, or DES, expose sensitive information in transit and at rest to unnecessary risks.

Lastly, CISA recommends publishing vulnerability disclosure policies (VDPs) that facilitate responsible vulnerability reporting by the public. Clear support timelines for on-premises products, alongside commitments to issue regular security updates, are additional practices designed to reduce operational risks for organizations using these tools. By following these guidelines, manufacturers not only mitigate cybersecurity risks but also signal their commitment to safeguarding critical systems, fostering trust among their users.