In partnership with the Federal Bureau of Investigation (FBI), CISA has released updated joint guidance on product security malpractices as part of CISA's Secure by Design initiative. This updated guidance incorporates public comments received by CISA in response to a request for information, adding additional bad practices, context regarding memory-safe languages, clarifying timelines for remediating known exploited vulnerabilities (KEVs), and other recommendations.
Although these voluntary guidelines are intended for software manufacturers that develop software products and services to support critical infrastructure, all software manufacturers are strongly encouraged to avoid these poor product security practices.
CISA and the FBI are urging software makers to reduce risks to customers by prioritizing security throughout the product development process. For more information and resources, visit CISA's Secure by Design webpage or learn how to take the CISA Secure by Design Pledge.
