The “Secure by Design” series has received another entry from US security officials CISA and the FBI. This time, the officials are looking at cross-site scripting (XSS) vulnerabilities.
Advertisement
In related Fact sheets from CISA and the FBI Discuss security features that allow malicious cyber actors to compromise systems using cross-site scripting. The aim is to make this type of vulnerability less common on a large scale. Vulnerabilities such as cross-site scripting occur frequently and allow criminals to abuse them – but they can be avoided and therefore should not occur in software products.
Causes of Cross-Site Scripting Vulnerabilities
The authors explain that cross-site scripting occurs when manufacturers do not check, clean, and filter user-controllable inputs. This allows threat actors to insert malicious scripts into web apps and abuse them to manipulate, steal, or misuse data in a variety of contexts. Although some developers implement input filtering techniques to prevent XSS vulnerabilities, these approaches are not infallible and should be reinforced with additional security measures.
Is Amazon wrong? Why doesn’t teleworking end collaboration between colleagues?To prevent such gaps, technical managers should check their threat models and ensure that the software checks the input in terms of both structure and meaning. They should also rely on modern web frameworks that provide easy-to-use functions for output coding and ensuring correct filtering. This happens there, for example, by differentiating between user input and application code. The frameworks ensured that developers did not have to filter and check every input themselves; however, programmers should follow the framework’s instructions to catch edge cases that could lead to XSS leaks.
If modern web frameworks cannot be used, developers must ensure that all user inputs displayed in web apps are properly filtered and checked. In addition, the implementation of aggressive and “malicious” product tests as well as code reviews are necessary to ensure code quality and security throughout the development cycle.
As is the case with “secure by design” guides, these specific tips for the development process are followed with instructions for management. It must take responsibility, create transparency and, if necessary, rebuild structures to achieve these security goals.
At Mandiant’s mWise conference, CISA chief Jane Easterly was very clear about her view: calling security flaws “software vulnerabilities” is too generous and “actually obscures responsibility. We should call them ‘product defects.'” This perspective is also reflected in handouts for software developers, which are documents from the “Secure by Design” series. Officials recently focused on the security vulnerability type “command intrusion”; precisely OS command injection, ex-button.
(DMK)
EU accessibility act introduced? It will be expensive!
