The Cybersecurity and Infrastructure Security Agency, or CISA, is shifting its focus to eliminating risky software-building practices after securing over 230 voluntary commitments from software manufacturers to adhere to its secure-by-design initiative. Rina Rakipi, who leads the program, announced this at the ACT-IAC Imagine Nation ELC 2024 conference. CISA, along with the FBI, has released a document titled “Product Security Bad Practices,” which addresses critical issues such as the use of default passwords and memory-unsafe programming languages. Keelan Sweeney from CISA highlighted that 60 to 70 percent of vulnerabilities are due to memory-unsafe languages, stressing the importance of prioritizing memory-safe coding practices. The document is open for public comment until December 2, aiming to guide vendors on best practices and enhance software security from the outset.
Delta Air Lines has filed a lawsuit against CrowdStrike, seeking $500 million in damages following a software update that caused a massive outage on July 19, 2024, affecting 8.5 million computers and resulting in the cancellation of over 7,000 flights, stranding 1.3 million customers. Delta claims that CrowdStrike’s failure to properly test the update led to a “catastrophic” disruption, asserting that the incident was a result of the cybersecurity firm prioritizing profit over customer safety. In response, CrowdStrike refuted Delta’s accusations, stating that the airline’s outdated IT infrastructure contributed to its slow recovery. Cybersecurity expert Dr. Ilia Kolochenko noted that proving negligence in court could be challenging for Delta, suggesting that an out-of-court settlement might be more beneficial for both parties.
Why do we care?
I’m not sure the work is done on secure-by-design, and had hoped this push would extend to more developers. Having the key platform providers commit is certainly a step forward. This shift underscores the importance of vetting software vendors on secure development practices. As the secure-by-design movement grows, MSPs may benefit from establishing internal policies that prioritize vendors compliant with secure-by-design practices.
The Crowdstrike case reinforces the need for meticulous testing, clear communication with clients regarding system compatibility, and proactive risk management when deploying updates. In light of this, MSPs should review service-level agreements (SLAs) and consider clauses that define responsibilities clearly, especially when supporting legacy infrastructure. Emphasizing rigorous testing, and moving to that as a software supplier requirement, would shift the dynamic.