This post is also available in:
עברית (Hebrew)
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have updated their joint guidance to urge software vendors to prioritize security, specifically focusing on reducing risks for customers. This updated guidance highlights three additional “bad practices” that vendors must avoid, along with other key recommendations for improving software security.
The new guidance outlines several critical issues related to software vulnerabilities, particularly in the context of products used for critical infrastructure. One of the major updates focuses on the use of insecure cryptographic algorithms. CISA warns against the use of outdated encryption methods such as Transport Layer Security (TLS) 1.0/1.1, MD5, SHA-1, and Data Encryption Standard (DES). The agencies recommend that vendors adopt modern encryption protocols and support post-quantum cryptographic algorithms, as outlined by the National Institute of Standards and Technology (NIST). This shift would help secure sensitive data during transmission and storage.
Another highlighted bad practice involves the use of hardcoded credentials or secrets in the source code of software. This practice is dangerous because it can easily expose critical information. CISA advises vendors to use secure secret management tools that allow for safe retrieval of credentials and to implement scanning mechanisms to detect the presence of sensitive data in the code.
The updated guidance also stresses the importance of clear communication regarding product support periods. Vendors are encouraged to explicitly define the support duration of their products at the time of sale and ensure that security updates are provided throughout the support window. This transparency will help customers manage the risks associated with using outdated software.
In total, the document identifies 13 risky software development practices. The guidance also emphasizes the need for timely patching of known vulnerabilities and the implementation of phishing-resistant multi-factor authentication.
