The US cybersecurity agency CISA and the FBI have updated their guidance on risky software security bad practices to include the feedback received during a public comment period.

Called Product Security Bad Practices, the guidance provides an overview of the security practices considered exceptionally risky, provides recommendations on addressing them, and urges makers of software for the critical infrastructure to prioritize security.

A non-binding document, the guidance covers risky bad practices related to product properties, security features, and organizational processes and policies, including the use of memory-unsafe languages, default passwords, and components with known vulnerabilities, the lack of multi-factor authentication (MFA) and logging, and the failure to publish CVEs with CWEs in a timely manner.

Following a month-and-a-half public comment period, CISA incorporated feedback from 78 public comments, including new bad practices, clearer timelines for patching flaws in the Known Exploited Vulnerabilities (KEV) catalog, and context regarding memory-safe programming languages, and more.

The updated guidance includes three new bad practices on hardcoded credentials, the use of insecure or outdated cryptographic functions, and product support, and includes more examples on preventing SQL injection and command injection bugs.

Furthermore, it updates the MFA section with language specific to operational technology products and recommends that software makers should support phishing-resistant MFA.

“This document is intended for software manufacturers who develop software products and services, including on-premises software, cloud services, and software as a service (SaaS). This also applies to software products that run on operational technology (OT) products or embedded systems,” CISA and the FBI note.

However, the two agencies advise all software manufacturers to review the guidance and avoid the security bad practices it describes, signaling to their customers that they are taking ownership of customer security outcomes, one of the secure-by-design principles that CISA is urging organizations to adhere to.

“CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process,” the two agencies note.

Related: US Government Agencies Call for Closing the Software Understanding Gap

Related: New EU Regulation Establishes European ‘Cybersecurity Shield’

Related: Western Security Agencies Share Advice on Selecting OT Products

Related: Activists Say Cyber Agency Weakens Voting Tech Advisory