CISA and FBI have issued a Secure by Design Alert to raise awareness about cross-site scripting (XSS) vulnerabilities that continue to be exploited by cyber actors. These vulnerabilities occur when software fails to properly validate or sanitize user inputs, allowing attackers to inject malicious scripts into web applications. Although some developers attempt to mitigate these risks with input sanitization, CISA and FBI emphasize that this approach alone is not sufficient. XSS vulnerabilities can be prevented through a secure by design approach, which requires a comprehensive strategy to eliminate them at the source during the product development cycle.
The alert urges senior executives and business leaders in technology companies to take responsibility for the security of their products by implementing proactive measures to prevent XSS vulnerabilities. These measures include reviewing threat models, ensuring proper input validation, using modern web frameworks that escape potentially harmful inputs, and conducting code reviews and adversarial testing. By adopting these best practices, companies can address vulnerabilities early in development, reducing the likelihood of exploitation and improving the overall security of their products.
In addition to technical measures, CISA and FBI outline three key principles for manufacturers to follow in creating secure software. The first principle, “Take Ownership of Customer Security Outcomes,” emphasizes the need for manufacturers to prioritize security and implement safeguards that prevent vulnerabilities like XSS. The second principle, “Embrace Radical Transparency and Accountability,” encourages manufacturers to track and disclose vulnerabilities through the CVE program, ensuring transparency with customers. The third principle, “Build Organizational Structure and Leadership,” stresses the importance of creating an organizational culture that prioritizes proactive security measures and accountability at all levels of development.
Finally, CISA and FBI encourage technology manufacturers to adopt the Secure by Design Pledge, which outlines specific goals for eliminating systemic vulnerabilities and securing products from the start. This initiative aims to shift the industry towards building secure products as a standard practice, rather than relying on reactive measures such as patching vulnerabilities after they are discovered. By committing to the Secure by Design principles and following the recommended practices, manufacturers can enhance their product security and contribute to a safer digital environment for all users.
Reference:
