NIST cyber advisor Lipner asks CISA to clarify purpose of bad practices guide for product security

The Cybersecurity and Infrastructure Security Agency needs to clearly define the relationship between its product security bad practices guide and secure by design principles, according to SAFECode executive director Steve Lipner, who chairs an influential NIST cyber advisory body.

“Our primary reaction to the draft is uncertainty about the purpose of the document. Although it takes a negative rather than a positive perspective on vendors’ responsibility for developing secure products (‘don’t to this’ rather than ‘do that’), it adds little...