At Black Hat, Feds Push Tech Firms to Adopt 'Radical Transparency'

pcmag.com:

LAS VEGAS—Two government officials came to Black Hat here this week with some security tips that got a whole lot more specific than the high-level talking points attendees might have expected to come out of Washington. 

Among the actionable advice offered by Bob Lord and Jack Cable, both senior technical advisors at the Cybersecurity and Infrastructure Security Agency (CISA), to tech vendors:

Switch to writing software in memory-safe languages that resist buffer-overflow attacks;

Provide a software bill of materials for each release so there’s no mystery about its components and libraries;

Maintain a vulnerability disclosure policy with legal safe harbor for security researchers;

Eliminate default passwords that users may never change;

Offer single-sign-on at no extra cost instead of charging extra for each user employing this safer authentication option;

Provide multi-factor authentication to ensure that the compromise of a password doesn’t result in the loss of an account;

Offer high-quality audit logs at no extra charge;

Make the concept of a “hardening guide” telling customers how to lock down the product obsolete by ensuring that it’s secure out of the box.

This advice came as part of CISA’s Secure By Design effort, in which that agency is trying to foster the adoption of security best practices by tech vendors so that customers are no longer left with their own security to-do lists. 

“We want them to be owning security outcomes for their product,” Cable said. “Wherever it's deployed, by default, by design, it's secure.”

He urged them to practice “radical transparency and accountability”—adding that this doesn’t just mean coming clean about failings but also celebrating security wins—and build organizational