The Cybersecurity and Infrastructure Security Agency recently shared a number of key updates:
- Fortinet has updated their security advisory addressing a critical FortiManager vulnerability (CVE-2024-47575) to include additional workarounds and indicators of compromise (IOCs). A remote, unauthenticated cyber threat actor could exploit this vulnerability to gain access to sensitive files or take control of an affected system. At this time, all patches have been released. CISA previously added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet. CISA strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, assess potential risk from service providers, report positive findings to CISA, and review the following articles for additional information:
- CISA—along with U.S. and international partners— also released the joint guidance, Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers. This guide aids software manufacturers in establishing secure software deployment processes to help ensure software is reliable and safe for customers. Additionally, it offers guidance on how to deploy in an efficient manner as part of the software development lifecycle (SDLC). CISA encourages software and service manufacturers to review this guide, evaluate their software deployment processes, and address them through a continuous improvement program. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.
- Finally, CISA and the Federal Bureau of Investigation (FBI) released joint guidance on Product Security Bad Practices, a part of CISA’s Secure by Design initiative. This joint guidance supplies an overview of exceptionally risky product security bad practices for software manufacturers who produce software in support of critical infrastructure or national critical functions. The bad practices presented in this guidance are organized into three categories: product properties, security features, and organizational processes and policies. This guidance contains brief information about specific bad practices, recommended actions, and additional resources. While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices. The public comment period concludes on December 2, 2024. During the comment period, members of the public can provide comments and feedback via the Federal Register.