CISA's New Guide for Evaluating Software Security Practices
The US Cybersecurity and Infrastructure Security Agency (CISA) has recently unveiled a comprehensive guide aimed at enhancing the way organizations evaluate the security practices of software manufacturers. This guide is a critical tool for organizations looking to bolster their defenses against ransomware and other cyber threats.
Emphasizing Product Security Over Enterprise Security
CISA's guidance highlights the importance of prioritizing product security rather than solely focusing on a manufacturer's enterprise security measures during the software procurement process. This approach is vital for organizations to effectively defend against cyber-attacks.
"This guide provides organizations with questions to ask when buying software, considerations to integrate product security into various stages of the procurement lifecycle, and resources to assess product security maturity in line with secure by design principles," CISA wrote.
Understanding Secure by Design
The "secure by design" philosophy requires manufacturers to prioritize security as a core element. This aligns with CISA's established principles, which include taking responsibility for customer security outcomes, maintaining transparency, and fostering leadership to achieve these goals.
Many organizations currently concentrate on compliance standards related to enterprise security, such as internal infrastructure protection. However, CISA emphasizes that organizations often do not assess whether a supplier has practices and policies to ensure security from the earliest stages of the product development lifecycle.
Actionable Steps for Integrating Product Security
The guide provides actionable steps for integrating product security into different stages of the procurement lifecycle: before, during, and after the purchase. For instance:
- Before Procurement: Organizations should inquire about the manufacturer's approach to security.
- During Procurement: Security requirements should be incorporated into contracts.
- Post-Purchase: Continuous assessment of the manufacturer's product security is advised.
Key Security Measures to Consider
The guide underscores the importance of eliminating default passwords, supporting multifactor authentication, and addressing systemic vulnerabilities. It also suggests that software manufacturers provide evidence of security logs, maintain detailed records of third-party dependencies, and demonstrate timely vulnerability reporting.
By following these guidelines, organizations can ensure that their software procurement process not only meets compliance standards but also maximizes the security and reliability of the products they use.
