CISA sees elimination of \u2018bad practices\u2019 as next secure-by-design step | CyberScoop<\/title> <meta name=\"description\" content=\"Officials at the cyber agency are doubling down on shifting the security onus to software makers.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-secure-by-design-software-bad-practices\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA sees elimination of \u2018bad practices\u2019 as next secure-by-design step\"> <meta property=\"og:description\" content=\"Officials at the cyber agency are doubling down on shifting the security onus to software makers.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-secure-by-design-software-bad-practices\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-10-28T22:27:39+00:00\"> <meta property=\"article:modified_time\" content=\"2024-10-28T22:27:41+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1729616464g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1728928671g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1729103471g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82318\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82318\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-secure-by-design-software-bad-practices%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-secure-by-design-software-bad-practices%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82318 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-secure-by-design-software-bad-practices\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.324742268041\">\n<div class=\"single-article__header-content\" readability=\"32.654155495979\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Officials at the cyber agency are doubling down on shifting the security onus to software makers. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82318\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"37.152542372881\"><body readability=\"76.204450966006\"><\/p>\n<p><strong>HERSHEY, Pa. \u2014 <\/strong>A year-and-a-half after <a href=\"https:\/\/cyberscoop.com\/cisa-secure-by-design\/\">launching its global secure-by-design initiative<\/a>, the Cybersecurity and Infrastructure Security Agency is \u201cthrilled\u201d by the progress it\u2019s made in getting vendors on board and now turning its focus to a new program aimed at drawing more attention to especially risky software-building practices.<\/p>\n<p>Rina Rakipi, who leads strategic partnerships and vulnerability program development at CISA, said Monday during ACT-IAC\u2019s Imagine Nation ELC 2024 conference that the cyber agency has secured <a href=\"https:\/\/www.cisa.gov\/securebydesign\/pledge\/secure-design-pledge-signers\">more than 230 voluntary commitments<\/a> from software manufacturers under the campaign. Signing on to the secure-by-design initiative means that those vendors pledge to meet within a year a variety of cybersecurity goals \u2014 covering everything from the reduction of default passwords across products to increasing the use of multi-factor authentication and eliminating entire classes of vulnerabilities.<\/p>\n<p>\u201cWe are thrilled at the fact that we have over 230 software manufacturers that have voluntarily committed to this pledge,\u201d Rakipi said. \u201cLooking to the future, we look forward to seeing within the next year the progress that all 230 companies make.\u201d<\/p>\n<p>As software manufacturers push forward on honoring those pledges, CISA and the FBI this month released a document that serves as a natural follow-up to secure by design that is intended to stamp out exceptionally problematic issues before getting to production. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The agencies\u2019 <a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/product-security-bad-practices\">Product Security Bad Practices publication<\/a> touches specifically on three trouble areas for manufacturers: product properties, which covers the inclusion in software of default passwords, memory unsafe languages, user-provided input in SQL query and operating system command strings, and known exploitable vulnerabilities; security features, which includes lack of MFA and an inability to collect evidence of intrusions; and organizational processes and policies, which points to failures to publish timely CVEs and vulnerability disclosure policies.<\/p>\n<p>The overarching goal of the document, Rakipi said, is to highlight for vendors \u201cwhat are these bad practices\u201d and \u201cwhat should we not do.\u201d The document is <a href=\"https:\/\/www.federalregister.gov\/documents\/2024\/10\/16\/2024-23869\/request-for-comment-on-product-security-bad-practices-guidance\">posted to the Federal Register<\/a> and open for public comment until Dec. 2. <\/p>\n<p>Keelan Sweeney, section chief for IT sector management at CISA, said during a separate panel Monday that having memory-safe languages in products is especially \u201cinherent to our secure-by-design mission at CISA.\u201d Sweeney cited a <a href=\"https:\/\/advocacy.consumerreports.org\/research\/report-future-of-memory-safety\/\">stat<\/a> that <a href=\"https:\/\/tarides.com\/blog\/2023-08-17-your-programming-language-and-its-impact-on-the-cybersecurity-of-your-application\/#:~:text=Impact%20of%20Memory%20Exploits,were%20related%20to%20handling%20memory.\">roughly 60% to 70%<\/a> of vulnerabilities can be attributed to memory-unsafe languages. For manufacturers, simply prioritizing the inclusion of memory-safe languages in product development could have a truly significant effect on security. <\/p>\n<p>\u201cWhat I tell developers all the time is, don\u2019t let the perfect be the enemy of the good, right?\u201d said Sweeney, who pointed to a <a href=\"https:\/\/storage.googleapis.com\/gweb-research2023-media\/pubtools\/7665.pdf\">Google case study<\/a> that highlighted a substantial reduction in observed vulnerabilities thanks to the prioritization of memory-safe languages. \u201cThat kind of improvement, I think, is still worth celebrating.\u201d<\/p>\n<p>There\u2019s also a push from CISA for software companies to not only bake into their products features like MFA but to make it so customers are \u201cheavily dissuaded to remove\u201d such protections from their security settings, Rakipi said. That could take the form of \u201csecurity alerts saying, \u2018Hey, are you sure you want to remove that security feature?\u2019\u201d Calling out that \u201crisky behavior\u201d would go a long way toward making the customer \u201creally aware of what they are removing from their system,\u201d Rakipi added.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>But ultimately, CISA is fully in the mode now of putting the security burden on the software makers, pushing manufacturers to ensure that their products are secure from the start so that customers aren\u2019t left in the dark on protecting their systems.<\/p>\n<p>\u201cIf you got a car on the road and it didn\u2019t have an airbag, it\u2019s pretty impossible to \u2026 slap it on after the fact,\u201d Rakipi said. \u201cAnd so we don\u2019t want to do that with our software.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.8730158730159\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step-1.jpg?w=640&ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-secure-by-design-software-bad-practices\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA sees elimination of \u2018bad practices\u2019 as next secure-by-design step<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,452,1396,2967,1276,2968],"tags":[86,454,1397,2969,1278,2970],"class_list":["post-5974","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-multi-factor-authentication-mfa","category-product-security-bad-practices","category-secure-by-design","category-software","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-multi-factor-authentication-mfa","tag-product-security-bad-practices","tag-secure-by-design","tag-software"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/multi-factor-authentication-mfa\/\" rel=\"category tag\">multi-factor authentication (MFA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/product-security-bad-practices\/\" rel=\"category tag\">Product Security Bad Practices<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/secure-by-design\/\" rel=\"category tag\">secure-by-design<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/software\/\" rel=\"category tag\">software<\/a>","tag_info":"software","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5974","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5974"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5974\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5974,"date":"2024-10-28T17:27:39","date_gmt":"2024-10-28T22:27:39","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82318"},"modified":"2024-10-28T17:27:39","modified_gmt":"2024-10-28T22:27:39","slug":"cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/28\/cisa-sees-elimination-of-bad-practices-as-next-secure-by-design-step\/","title":{"rendered":"CISA sees elimination of \u2018bad practices\u2019 as next secure-by-design step"},"content":{"rendered":"