Top 10 configuration errors identified by CISA underscore pervasive system vulnerabilities
In a recent advisory, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have urged software manufacturers to embrace a proactive and holistic "secure-by-design" approach. This strategy focuses on integrating security proactively throughout the software development lifecycle to enhance customer security outcomes.
Key principles and tactics recommended by the advisory include prioritising security throughout product development, comprehensive software attack auditing, advanced software hardening and rewriting, formal verification techniques, and integration of secure development policies.
Prioritising security involves avoiding known bad product security practices, such as timely patching of Known Exploited Vulnerabilities (KEVs) and using memory-safe programming languages as part of a secure coding standard. Comprehensive software attack auditing involves rigorous analysis of source and binary code, auditing software ecosystems including dependencies, especially for complex and large codebases like those used in AI systems.
Advanced software hardening and rewriting use techniques that maintain core software functionality while replacing insecure components or dependencies with verified secure alternatives. This builds on programs such as DARPA’s TRACTOR initiative. Formal verification techniques aim to achieve scalable and rigorous software correctness guarantees, making software defects and vulnerabilities less likely.
The integration of secure development policies aligns with threat intelligence and continuous monitoring approaches. This ensures that software infrastructure is resilient against current threat landscapes by applying frameworks such as CISA’s Secure by Design initiative and cybersecurity performance goals (CPGs).
Software manufacturers are also encouraged to adopt security control management as a holistic practice that continuously monitors, analyses, and mitigates vulnerabilities in real-time.
The advisory also highlights systemic weaknesses in large organizations' network infrastructure. These weaknesses, considered as basic standards and best practices by cybersecurity experts and analysts, are abundant in enterprises with mature cybersecurity postures. The top 10 cybersecurity misconfigurations include default software and application configurations, improper user and administrative user separation, insufficient internal network monitoring, lack of network segmentation, poor patch management, system access controls bypass, weak or misconfigured multi-factor authentication, insufficient access control lists on shared services, poor credential management, and unrestricted code execution.
Addressing these shortcomings from day one, including hard-coded passwords, identity configuration drift, asset protection, and network access, is crucial, according to Heath Mullins, senior analyst at Forrester. Katell Thielemann, distinguished VP analyst at Gartner, states that the basics of cybersecurity aren't so basic due to the complexities of implementing these best practices in the real world.
The advisory serves as a wake-up call, emphasising the importance of secure-by-design principles. It calls for software manufacturers to take ownership of improving security outcomes for their customers. If large organizations struggle with these issues, it may indicate challenges for small- and medium-size enterprises as well, Thielemann suggests. This approach is part of a broader shift advocated by CISA, NSA, and their partners to close the software understanding gap and enhance national infrastructure cybersecurity.
- To meet the recommendations of the NSA and CISA advisory, software manufacturers ought to prioritize privacy and cybersecurity in their product development by incorporating secure coding standards, rigorous attack auditing, advanced software hardening, formal verification, and the adoption of secure development policies.
- The integration of secure development policies, such as continuous monitoring of vulnerabilities and adherence to cybersecurity performance goals (CPGs), aligns with the advisory's call for general-news industries to address systemic weaknesses in network infrastructure, ensuring that software infrastructures are resilient against current threat landscapes, including reducing the number of cybersecurity misconfigurations and closing the software understanding gap.
