Updated federal security guidance for software vendors issued

Cybernews reports that mounting cybersecurity threats against software, especially against those leveraged by critical infrastructure entities, have prompted the Cybersecurity and Infrastructure Security Agency and the FBI to release an updated joint security guidance adding three more bad software development practices that should be avoided by software vendors.

Aside from warning against the use of archaic cryptographic platforms and unencrypted data storage, such guidance — which now details 13 suboptimal software development practices, including memory-unsafe language usage, non-removal of known exploited vulnerabilities at launch, and neglect of open command injection bugs — also cautioned about the utilization of hardcoded secrets in critical infrastructure software source code and inadequate communications regarding product support periods. Software providers should not only leverage compliant post-quantum cryptographic algorithms, modern TLS encrypted sites, and secure secret managers but also expedite the remediation of known exploited vulnerabilities and adopt phishing-resistant multi-factor authentication to counter increasingly sophisticated cyber intrusions, the guidance said.