CISA Releases Software Configuration Guidance Based on Joint Assessments With NSA

The Cybersecurity and Infrastructure Security Agency has released a new report co-developed with the National Security Agency focused on the need to incorporate secure-by-design principles for software.

The “NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Configurations” report provides guidance software manufacturers should follow to avoid software misconfigurations that can lead to cyber intrusions. Some of the recommendations are embedding security controls from the start of the software lifecycle, eliminating default passwords, including redundancies in software designs to avoid a single point of failure, detecting systems control bypass instances in audits and using multi-factor authentication.

The recommendations were made using lessons learned from several years of red and blue team operations, CISA said Thursday.

The two agencies have been assessing how malicious actors could infiltrate systems over recent years. According to the agencies, analysts found 10 common network misconfigurations, which include improper privilege separation, insufficient internal network monitoring, poor patch management, poor credential hygiene and system access controls bypass.

The software configuration guidance is one of several documents CISA released in recent months to help organizations improve their cybersecurity posture. In July, the agency released two documents focused on 5G network slicing and cloud security tools.