Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
CISA Urges Software Makers to Eliminate XSS Flaws
The latest Secure by Design alert from CISA outlines recommended actions security teams should implement to reduce the prevalence of cross-site scripting vulnerabilities in software.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are urging organizations to focus on eliminating cross-site scripting vulnerabilities in their products before shipping them.
"Vulnerabilities like cross-site scripting (XSS) continue to appear in software, enabling threat actors to exploit them," the agencies wrote in their latest Secure by Design alert. "[XSS] vulnerabilities are preventable and should not be present in software products."
XSS vulnerabilities occur in Web applications when the developer did not properly validate, sanitize, or escape inputs. Malicious actors can use those input fields to insert and execute malicious scripts into the application, allowing them to manipulate and steal data. XSS was rated second on MITRE's list of top 25 most dangerous software flaws in 2022 and is also included in OWASP Top 10. XSS flaws can be found in around two-thirds of all applications, according to OWASP.
CISA listed the following recommendations:
Review written threat models.
Ensure software validates input for both structure and meaning.
Use modern Web frameworks that offer easy-to-use functions for output encoding, to ensure proper escaping and quoting.
"[These] frameworks make it so that the burden doesn't fall on developers to correctly escape user input every time," the alert noted. The frameworks also have guidance on preventing edge cases that may lead to XSS vulnerabilities. And in cases where Web frameworks are unavailable, teams should ensure all user input in Web applications are properly escaped or sanitized.
Conduct code reviews.
Implement adversarial product testing to optimize code quality and security.
"Senior executives and business leaders should ask their teams how they are working to eliminate these defects and whether they are implementing a secure by design approach in their products," the alert said.
CISA unveiled its Secure by Design initiative in April 2023 to urge software manufacturers to focus on shipping products that are secure by design. There is a self-attestation form and a repository that software makers can use to provide security details about their products. Over 60 vendors have signed the Secure by Design pledge, announcing their commitment to apply the seven core goals outlined by CISA, including using multifactor authentication, reducing default passwords, reducing the prevalence of certain vulnerability classes, and improving patching.
The XSS alert is the seventh Secure by Design alert from CISA. These alerts highlight vulnerabilities that persist in software despite the availability of effective mitigations. The July alert urged software companies to eliminate path OS command injection vulnerabilities. The May and March alerts focused on eliminating path traversal and SQL injection flaws. In January, CISA provided guidance on how to secure small office/home office routers against attempts to hijack them. Alerts last year recommended companies stop shipping software and devices with default passwords and secure Web management interfaces from attack.
About the Author
You May Also Like