On January 17, the US Cybersecurity & Infrastructure Security Agency (CISA) and the FBI published version 2.0 of “Product Security Bad Practices,” revised to include information from 78 suggestions received during a public comment period that began in October, 2024. New elements include updated examples of “insecure or outdated cryptographic functions, hardcoded credentials, and product support periods”; expanded recommendations to prevent SQL injection and command injection; and additional clarity and specificity around Known Exploited Vulnerability (KEV) patch timelines, MFA in Operational Technology (OT), phishing-resistant MFA for software manufacturers, and memory safety. Ref https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
