Skip to main content
close search
site logo
Dive Brief

FBI, CISA seek input on software security, configuration changes

Authorities are seeking public comment on steps the software industry can take to make their products more resistant to malicious threat activity.

Published Oct. 17, 2024
David Jones's headshot
Reporter
CISA Director Jen Easterly speaks at Carnegie Mellon University urging the tech industry to embrace secure-by-design product development.
CISA Director Jen Easterly spoke at Carnegie Mellon University in February urging the tech industry to embrace secure-by-design product development. CISA is now seeking public input on product changes to make software more resilient. Permission granted by Carnegie Mellon University

Dive Brief:

  • The FBI and Cybersecurity and Infrastructure Security Agency on Tuesday released a product security guide for the technology sector and are seeking public comment on how to make software and related products more resilient against malicious hacking. 
  • The agencies call on manufacturers to adopt key changes to make products more resistant to hacking. Officials encourage vendors and customers to eliminate the use of default passwords, implement multifactor authentication and develop software using memory-safe languages. 
  • The guidance is part of an urgent push to help eliminate software defects and make technology more secure upon release. CISA and the Department of Homeland Security released guidance on the product security push on the Federal Register Wednesday and are asking for responses by Dec. 2.

Dive Insight:

A key component of the national cybersecurity strategy is to shift the burden for security away from organizations that lack funding, expertise and staffing and toward the technology industry and major companies that develop widely used software. 

The goal has been to make front end changes in the design and development of software and other technology tools to prevent users from having to search for software vulnerabilities and chase down malicious hackers once they have entered customer computer systems or disrupted the software supply chain. 

In May, 68 security and technology vendors, including Palo Alto Networks and Microsoft committed to adhere to secure-by-design practices, which include efforts to boost cyber resilience. By August, that figure reached more than 200 companies committing to the same changes.

In February, the White House led an effort to rally industry support to support memory-safe programming. Palantir, HPE and SAP publicly backed the effort.

Software security experts say the industry can achieve most of the recommended changes, however some may be a heavy lift.

“First, the initial investment for some of these items is quite large,” Neil Carpenter, field CTO at Orca Security, said via email. 

Shifting a codebase from C++ to a memory-safe language could require a tremendous amount of work, Carpenter said.

Correction: This article has been updated to reflect the proper job title for Neil Carpenter.

Editors' picks

Company Announcements

View all | Post a press release
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell