CISA, the government agency tasked with securing the U.S.’ cyber and physical infrastructure, has released new Information Technology (IT) Sector-Specific Goals (SSGs).
According to the organization, the IT SSGs complement Cross-Sector Cybersecurity Performance Goals (CPGs) and offer “additional voluntary practices with high-impact security actions.” Organizations can use them to improve the security of their software development practices.
The list is broken down into goals for the process of software development and goals for product design.
The software development process goals include:
- Separate all environments used in software development
- Regularly log, monitor, and review trust relationships used for authorization and access across software development environments
- Enforce Multi-Factor Authentication (MFA) across software development environments
- Establish and enforce security requirements for software products used across software development environments
- Securely store and transmit credentials used in software development environments
- Implement effective perimeter and internal network monitoring solutions with streamlined, real-time alerting to aid responses to suspected and confirmed cyber incidents
- Establish a software supply chain risk management program
- Make a Software Bill of Materials (SBOM) available to customers
- Inspect source code for vulnerabilities through automated tools or comparable processes and mitigate known vulnerabilities prior to any release of products, versions, or update releases
- Address identified vulnerabilities prior to product release
- Publish a vulnerability disclosure policy
The Product Design goals include:
- Increase the use of multifactor authentication
- Reduce default passwords
- Reduce entire classes of vulnerabilities
- Provide customers with security patching in a timely manner
- Ensure customers understand when products are nearing end of life support and security patches will no longer be provided
- Include Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the organization’s products
- Increase the ability for customers to gather evidence of cybersecurity intrusions affecting the organization’s products
Chris Hughes, chief security advisor at Endor Labs and CISA Cyber Innovation Fellow, said: “These are fundamental security practices, reflecting those in other sources such as CISA’s Secure-by-Design Pledge and Secure-by-Design/Default guidance and NIST’s Secure Software Development Framework (SSDF). They’re good reminders and solid cyber hygiene recommendations that most organizations should be doing, especially those in IT and product-centric development environments, with ramifications for downstream customers and consumers.”
The post CISA unveils new recommendations for developing secure software appeared first on SD Times.
Source: Read MoreÂ
