The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new guide to enhance how organizations evaluate software manufacturers' security practices.
The guidance emphasizes the importance of prioritizing product security—rather than solely focusing on a manufacturer's enterprise security measures—during the software procurement process. The agency highlighted how this approach is crucial for defending against ransomware and other cyber threats.
"This guide provides organizations with questions to ask when buying software, considerations to integrate product security into various stages of the procurement lifecycle and resources to assess product security maturity in line with secure by design principles," CISA wrote.
This "secure by design" philosophy requires manufacturers to prioritize security as a core element, aligning with CISA's established principles, which include taking responsibility for customer security outcomes, maintaining transparency and fostering leadership to achieve these goals.
Read more on secure by design applications: Make Secure-by-Design Possible at University and Beyond
Currently, many organizations concentrate on compliance standards related to enterprise security, such as internal infrastructure protection.
"An organization's acquisition staff often has a general understanding of the core cybersecurity requirements for a particular technology acquisition," CISA said. "However, they frequently don't assess whether a given supplier has practices and policies in place to ensure that security is a core consideration from the earliest stages of the product development lifecycle."
The guide highlights the need for a shift towards evaluating how software manufacturers ensure their products are resistant to cyber-attacks. It provides actionable steps for integrating product security into different stages of the procurement lifecycle: before, during and after the purchase.
For instance, before procurement, organizations should inquire about the manufacturer's approach to security. During procurement, security requirements should be incorporated into contracts. Post-purchase, continuous assessment of the manufacturer's product security is advised.
The guide also underscores the importance of eliminating default passwords, supporting multifactor authentication (MFA) and addressing systemic vulnerabilities. It suggests that software manufacturers provide evidence of security logs, maintain detailed records of third-party dependencies and demonstrate timely vulnerability reporting.
For more detailed information, organizations seeking further guidance can refer to CISA's Secure by Design page.