Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released joint guidance on Product Security Bad Practices, a part of CISA’s Secure by Design initiative. This joint guidance supplies an overview of exceptionally risky product security bad practices for software manufacturers who produce software in support of critical infrastructure or national critical functions.
The bad practices presented in this guidance are organized into three categories: product properties, security features, and organizational processes and policies. This guidance contains brief information about specific bad practices, recommended actions, and additional resources. While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices.
CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA.gov/SecureByDesign.
The public comment period begins today and concludes on December 2, 2024. During the comment period, members of the public can provide comments and feedback via the Federal Register.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA released three Industrial Control Systems (ICS) advisories on June 3, 2025. These advisories provide…
CISA released seven Industrial Control Systems (ICS) advisories on June 5, 2025. These advisories provide…
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security…
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
This website uses cookies.