2024-10-31 21:59:00
thenewstack.io
The federal government is heightening its warnings about dangerous software development practices, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issuing stark warnings about basic security failures that continue to plague critical infrastructure.
A recent report issued jointly by CISA and the FBI on Product Security Bad Practices warns software manufacturers about bad practices such as using memory-unsafe programming languages like C and C++.
“The development of new product lines for use in service of critical infrastructure or [national critical functions] NCFs in a memory-unsafe language (e.g., C or C++) where there are readily available alternative memory-safe languages that could be used is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” the report says.
Three Categories
The report says bad practices are divided into three categories:
- Product properties, which describe the observable, security-related qualities of a software product.
- Security features, which describe the security functionalities that a product supports.
- Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.
The report is aimed at software manufacturers who develop software products and services — including on-premises software, cloud services, and Software as a Service (SaaS) — used in support of critical infrastructure or NCFs, the report said
Avoid Bad Practices, Follow Recommendations
Moreover, the report also encourages all software manufacturers to avoid these product security bad practices. And “By following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key Secure by Design principle,” the report said.
“This guidance certainly follows up on the U.S. government’s earlier statement on the matter, statements that date back to 2022, admonishing technology providers and enterprise adopters alike to adopt or migrate to memory-safe languages,” said Brad Shimmin, an analyst at Omdia.
“Putting all new code aside, fortunately, neither this document nor the U.S. government is calling for an immediate migration from C/C++ to Rust — as but one example,” he said. “CISA’s Secure by Design document recognizes that software maintainers simply cannot migrate their code bases en masse like that.”
The guidance, while voluntary, represents CISA’s strongest stance yet on baseline security practices — putting companies on notice about what constitutes negligent software development practices when it comes to critical infrastructure.
The Clock Is Ticking
However, the clock is ticking for software manufacturers. Companies have until January 1, 2026, to create memory safety roadmaps.
“For existing products that are written in memory-unsafe languages, not having a published memory safety roadmap by Jan. 1, 2026, is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” the report said.
In addition, default passwords must be eliminated from admin accounts by the same date. These deadlines signal a shift from recommendations to expected standards.
The report also states that the memory safety roadmap should outline the manufacturer’s prioritized approach to eliminating memory safety vulnerabilities in priority code components (e.g., network-facing code or code that handles sensitive functions like cryptographic operations).
“Manufacturers should demonstrate that the memory safety roadmap will lead to a significant, prioritized reduction of memory safety vulnerabilities in the manufacturer’s products and demonstrate they are making a reasonable effort to follow the memory safety roadmap,” the report said.
“There are two good reasons why businesses continue to maintain COBOL and Fortran code at scale. Cost and risk,” Shimmin told The New Stack. “It’s simply not financially possible to port millions of lines of code, nor is it a risk any responsible organization would take.”
Yet, according to the report, critical infrastructure still suffers from “exceptionally risky” practices like:
- Default passwords.
- Direct SQL injection vulnerabilities.
- Lack of basic intrusion detection.
- Missing multifactor authentication.
Open Source
Regarding open source software, the report says special attention should be paid to open source vulnerabilities. Other recommendations include:
- Companies must maintain software bills of materials (SBOMs).
- Required to cache dependencies rather than pulling from public sources.
- Need to contribute responsibly to open source projects they depend on.
“Software manufacturers should responsibly consume and sustainably contribute to the open source software that they depend on,” the report said.
The report also urges more transparency, stating that:
- Companies must publish vulnerability disclosure policies.
- Required to issue CVEs for all critical vulnerabilities.
- Must provide clear documentation about security issues.
- Expected to maintain six months of security logs.
It’s a Good Thing
Finally, it is good that CISA is recommending that companies with critical software in their care should create a stated plan of attack by early 2026, Shimmin said. It’s good because it will give the industry more time to come up with a more skillful means of ensuring the safety of our critical software assets, he said.
“Those means will likely involve hardware manufacturing shoring up potential attack vectors and programming language maintainers coming up with things ideas like the Safe C++ proposal), which calls for the creation of a superset for C++ that addresses memory safety issues without forcing major code rewrites,” he said.
YOUTUBE.COM/THENEWSTACK
Tech moves fast, don’t miss an episode. Subscribe to our YouTube
channel to stream all our podcasts, interviews, demos, and more.
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.