The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint alert urging software manufacturers to prioritize eliminating cross-site scripting (XSS) vulnerabilities in their products. XSS vulnerabilities are a common and preventable security flaw that attackers exploit to steal or manipulate data.
Why This Matters:
- XSS vulnerabilities are ranked second on MITRE’s 2022 list of most dangerous software flaws.
- These vulnerabilities are found in roughly two-thirds of web applications, according to OWASP.
- Attackers can use XSS to steal data, redirect users to malicious websites, or inject malware.
What CISA and FBI Recommend:
- Software manufacturers should:
- Review documented threat models.
- Ensure software validates user input for both structure and meaning.
- Use modern web frameworks that automatically handle user input escaping.
- Conduct thorough code reviews and implement adversarial testing.
- Develop a strategic plan to eliminate XSS vulnerabilities entirely.
- Senior executives should:
- Take accountability for customer security.
- Regularly test software for vulnerabilities.
- Consider adopting the Secure by Design principles outlined in the joint guidance.
What is Secure by Design?
CISA’s Secure by Design initiative encourages software manufacturers to prioritize security from the very beginning of the development process. This includes:
- Taking ownership of customer security outcomes: Manufacturers should invest in secure building blocks and preventative measures to avoid vulnerabilities.
- Embracing radical transparency and accountability: Manufacturers should disclose vulnerabilities promptly and accurately, using established programs like CVE and CWE.
- Building organizational structure and leadership to achieve security goals: Executives should prioritize security, allocate resources, and establish processes to identify and eliminate vulnerabilities proactively.
How Can Software Manufacturers Get Involved?
Manufacturers can demonstrate their commitment to secure software by taking the Secure by Design Pledge. This pledge outlines seven key goals to reduce vulnerabilities like XSS.
By following these recommendations, software manufacturers can help create a more secure digital environment for everyone.