A leading US security agency has released some timely advice designed to raise awareness about coding best practice to eliminate one of the most common classes of software vulnerability.
Teaming up with the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA) issued its Secure by Design Alert yesterday in a bid to reduce the number of cross-site scripting (XSS) bugs appearing in software.
“Senior executives and business leaders should ask their teams how they are working to eliminate these defects and whether they are implementing a secure by design approach in their products,” it argued.
XSS vulnerabilities occur when vendors fail to properly validate, sanitize or escape inputs. That allows malicious actors to inject malicious scripts into web applications and exploit them to manipulate, steal or misuse data, CISA warned.
Read more on XSS: Researchers Uncover XSS Vulnerabilities in Azure Services
According to the alert, technical leads at software developers must create a strategic plan to eliminate XSS from their products by:
- Reviewing written threat models
- Ensuring software validates input for both structure and meaning
- Using modern web frameworks that offer easy-to-use functions for output encoding, to ensure proper “escaping” or “quoting”
- Following the guidance in these frameworks to prevent any remaining edge cases that may lead to XSS vulnerabilities
- Ensuring all user input displayed in web applications undergoes proper escaping or sanitization (when web frameworks are unavailable)
- Conducting code reviews
- Implementing aggressive adversarial product testing to optimize the quality and security of code throughout its development lifecycle
“To demonstrate their commitment to building their products that are secure by design, software manufacturers should consider taking the Secure by Design Pledge,” the FBI and CISA concluded. “The pledge lays out seven key goals that the signers commit to demonstrating measurable progress towards, including reducing systemic classes of vulnerability like cross-site scripting.”