December 22, 2024
CISA Launches Cybersecurity Software Buying Guide
Shutterstock
|
CISA has published a guide to help businesses incorporate cybersecurity into their software acquisition process.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a guide to help organizations determine their software suppliers’ approach to cybersecurity in order to prevent nonsecure code from getting into their systems. 

CISA’s Secure by Demand Guide, published Aug. 6, provides “questions and resources” that software buyers can use to double-check their suppliers. The agency said that while staff in charge of software acquisition at an organization usually understand the core cybersecurity requirements for a desired technology, they often do not check whether suppliers have “practices and policies in place to ensure that security is a core consideration” at all stages of development. 

The document is intended as a complement to the agency’s Secure by Design Guide, released a week earlier. That guide aims to help instill in software developers the philosophy of building cybersecurity into their products from the ground up and taking proactive steps to ensure their software is free of vulnerabilities. A secure-by-design approach follows three principles: 

    • Take ownership of customer security outcomes. 
    • Embrace radical transparency and accountability. 
    • Build organizational structure and leadership to achieve these goals. 

With the new guide, CISA said, businesses can make sure suppliers are following these principles. 

“We are glad to see leading technology vendors recognize that their products need to be more secure. … Businesses can also help move the needle by making better risk-informed decisions when purchasing software,” CISA Director Jen Easterly said in a statement. “This new guide will help software customers understand how they can use their purchasing power to procure secure products and turn secure by design into secure by demand.” 

In the guide, CISA said businesses’ due diligence of software manufacturers “often [focuses] on [the manufacturers’] enterprise security measures,” which they examine through the lens of compliance standards. However, this focus on enterprise security — which relates to how the company protects its own infrastructure — can come at the expense of neglecting the vendor’s product security, by which the company ensures its products are safe from attacks. 

The guide urged organizations to look for ways to make product security a focus at each stage of procurement. Before procurement, an organization can use probing questions to evaluate a manufacturer’s understanding of product security; during procurement, the organization can write product security requirements into its contract language; and afterward, it can continue to assess the product security and security outcomes. 

Suggested general questions for software manufacturers include whether the manufacturer has taken CISA’s Secure by Design Pledge, how it measures its adherence to the pledge, and to what extent it supports security patches. Additional questions cover a number of specific topics: 

    • authentication — whether the product supports secure authentication measures such as single sign-on and multifactor authentication and has eliminated default passwords in its products. 
    • eliminating classes of vulnerability — what vulnerability classes the manufacturer has addressed systematically in its products, and whether it has a road map for eliminating those classes. 
    • evidence of intrusions — whether manufacturers make security logs available to customers in the baseline version of their products. 
    • software supply chain security — whether the manufacturer generates a software bill of materials in a standardized format that is available to customers, and how it vets the security of open source software components. 
    • vulnerability disclosure and reporting — whether the manufacturer demonstrates transparency and timeliness in vulnerability reporting for its products. 

Describing the guide as “a starting point for software customers to generate the demand for more secure technology products,” CISA advised businesses to use additional resources, such as its Software Acquisition Guide for Government Enterprise Consumers and the National Institute of Standards and Technology’s Secure Software Development Framework. 

FERC & Federal

Leave a Reply

Your email address will not be published. Required fields are marked *