The U.S. CISA and the FBI have released a draft ‘Product Security Bad Practices’ guidance aimed at helping software manufacturers reduce customer risk by prioritizing security throughout the product development process.
This guidance outlines risky security practices and provides steps to mitigate and improve these risks. By following these recommendations, manufacturers can demonstrate their commitment to customer security outcomes, aligning with the Secure by Design principle. Although the guidance is non-binding, CISA encourages organizations to avoid these bad practices.
The bad practices are divided into three categories
- Product properties, which describe the observable.
- development in memory unsafe languages.
- inclusion of user-provided input in SQL query strings.
- inclusion of user-provided input in operating system command strings.
- presence of default passwords.
- presence of known exploited vulnerabilities.
- Security-related qualities of a software product; security features, which describe the security functionalities that a product supports.
- lack of multifactor authentication
- lack of capability to gather evidence of intrusions
- Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.
- failure to publish timely CVEs with CWEs
- failure to publish a vulnerability disclosure policy.
The list is focused and does not include every possible inadvisable cybersecurity practice. Items on this list were chosen based on the threat landscape, representing the most dangerous and pressing bad practices that software manufacturers should avoid. Developing new product lines for critical infrastructure or National Critical Functions (NCFs) using memory-unsafe languages is particularly risky, especially when memory-safe alternatives are available.
By January 1, 2026, software manufacturers should release a memory-safe roadmap with a prioritized approach to eliminating memory safety vulnerabilities in key code components. They should also demonstrate that their roadmap significantly reduces risk
Product Properties
The guidance highlights several critical security concerns:
- Raw Content Input in SQL Databases: Using raw content input in SQL databases significantly elevates risks to national security, economic security, and public health and safety. To mitigate these risks, it is recommended to consistently enforce the use of parameterized queries.
- User-Provided Input in Command Strings: Including user-provided input directly in the raw contents of an operating system command string is risky. It is recommended to consistently ensure that command inputs are delineated from the contents of the command itself.
- Default Passwords: Releasing products with default passwords poses significant security risks. Software manufacturers should ensure that default passwords are not present by:
- Providing random, instance-unique initial passwords for the product.
- Requiring users to create a strong password during the installation process.
- Providing time-limited setup passwords that disable themselves after the setup process and require the configuration of a secure password.
- Software manufacturers should responsibly consume and sustainably contribute to the open-source software that they depend on.
- Effort to evaluate and secure their open-source software dependencies by maintaining a software bill of materials (SBOM).
- Established process for managing the incorporation of open-source software.
- Monitor for Common Vulnerabilities and Exposures (CVEs) or other security-relevant alerts, such as end-of-life, in all open-source software dependencies and update them as necessary.
Product Security Qualities
The guidance also emphasizes the importance of multi-factor authentication (MFA). Not supporting MFA in the baseline version of a product is dangerous and significantly elevates risks to national security, economic security, and public health and safety. Software manufacturers should either support MFA natively in the product or enable the use of an external identity provider, such as via single sign-on. Additionally, MFA should be mandatory for administrators.
Furthermore, as part of the baseline version of a product, software manufacturers should ensure that logs are available in an industry-standard format. For cloud service providers and SaaS products, manufacturers should retain logs for at least six months at no additional charge
Organizational processes and policies
- Complete CVEs: Software manufacturers should issue complete Common Vulnerabilities and Exposures (CVEs) promptly for all critical or high-impact vulnerabilities, including the Common Weakness Enumeration (CWE) field.
- Vulnerability Disclosure Policy (VDP): Not having a VDP is considered a bad practice. A good VDP should:
- Authorize public testing of products.
- Commit to not taking legal action against good faith testers.
- Provide a clear channel for reporting vulnerabilities.
- Allow public disclosure of vulnerabilities in line with coordinated vulnerability disclosure (CVD) best practices and international standards
- Timely Remediation: Software manufacturers should address all valid reported vulnerabilities in a timely and risk-prioritized manner.
These practices are crucial for reducing risks to national security, economic security, and public health and safety
