A new joint alert from CISA and the FBI seeks to assist private sector software developers in removing XSS vulnerabilities from their products, with a basic overview of best practices aimed primarily at executives and business leaders.
The alert stresses communication between organizational leadership and technical teams, and asks its readers to take a “Secure By Design” pledge that includes seven key goals designed to substantially reduce XSS vulnerabilities within one year.
CISA: Take on XSS vulnerabilities with security by design, “radical transparency”
The XSS vulnerabilities alert is part of an ongoing program by the two agencies to reduce the prevalence of vulnerability classes at scale. This particular alert is directed at senior executives and business leaders, and focuses on advising them as to how to communicate with their technical teams and where to center their efforts.
To that end, the alert advises that technical leaders should review their written threat models, ensure software validates input for both structure and meaning, conduct code reviews and implement aggressive adversarial product testing. The alert also stresses the use of modern web frameworks with easy-to-use functions for output encoding, easing the strain on developers to corral potential XSS vulnerabilities that could stem from escaping user input improperly.
These general points are followed up by three more detailed principles. Principle 1 is ownership of customer security outcomes. CISA sees this as making necessary security investments and adopting best practices, with a particular focus on large-scale implementation early in the development life cycle. This basically tilts more of the responsibility on the developer to conduct preventive maintenance on software, ultimately causing less patching on the user end (one of the central causes of labor logjams for IT departments everywhere).
Principle 2 is perhaps the most interesting, advocating for “radical transparency and accountability.” However, CISA mostly sees this as being prompt and forthcoming about tracking and disclosing XSS vulnerabilities via the CVE program. The alert also notes that a large amount of XSS vulnerabilities stem from common weakness CWE-79, or failure to correctly neutralize user input before it enters a web page that is then served to other users. CISA suggests that manufacturers make elimination of this vulnerability class an immediate priority.
Principle 3 addresses the build-out of organizational structure and leadership. This segment has something of a chastising tone, advising that executives provide the same “level of care” to security that they do to cost and considering that national security and customers are paying prices from cost-saving decisions in this area. But the report also notes that organizations could very well see cost savings over the long term from a “security by design” approach, in the area of productivity cost as well as spending tied to remediation and penalties when incidents occur.
FBI and CISA promote the “Secure By Design” pledge
CISA is asking software manufacturers to take the “Secure by Design” pledge, which consists of seven central security goals that organizations commit to making “measurable” progress on within a year. XSS vulnerabilities are among the classes of vulnerability that the pledge asks signees to address, along with the likes of SQL injections and memory safety attacks. The pledge suggests demonstrating this commitment by publishing a roadmap to progress on XSS vulnerabilities, or a regularly updated blog documenting the manufacturer’s progress on all vulnerability types.
Other related items in the pledge include demonstrating transparency in vulnerability reporting with CWE and CPE fields in every CVE record for the manufacturer’s products, publishing a public vulnerability disclosure policy that is machine-readable and perhaps supported by an ongoing blog, and improving both the patching experience and clear communication to customers about patching and end-of-life issues. The pledge also includes items that should already be in motion, such as implementing MFA and ensuring default passwords do not remain in use.
CISA notes that while developers do commonly employ input sanitization techniques to prevent XSS vulnerabilities, this approach cannot be relied on as a sole method and requires supplementation by other measures. This includes regular and detailed code reviews, modern web frameworks and multiple rounds of adversarial testing at different development stages.
The alert follows a series of similar bulletins for other vulnerability types that have been issued since the start of the year, such as OS command injection and path traversal techniques. These alerts are often prompted by the observation of a nation-state advanced persistent threat group making broad use of them to probe for holes in national security. The role of senior leadership is to be proactive in communicating with technical teams about how they are mitigating these vulnerabilities, and in spearheading the implementation of a “secure by design” process for all software.
Chris Wysopal, Chief Security Evangelist and Founder of Veracode, notes that XSS vulnerabilities are an excellent place to start: “Veracode identifies XSS vulnerabilities in approximately 50% of the applications we scan. When we detect these vulnerabilities in an application, it’s not unusual to find over 100 instances. CISA continues to reinforce that eliminating groups of errors improves security, but evidence shows that the industry is not making sufficient progress. Many of the top software products fail to protect their customers from common classes of defects like XSS. Given the widespread nature of XSS vulnerabilities, it’s crucial to teach the fundamentals of secure coding, particularly the importance of always encoding output in web applications. While XSS is easy to prevent, scan for, and fix, awareness is key to eliminating these defects across all your web apps. Development teams can use GenAI-powered auto-remediation tools that simplify the process by automatically fixing XSS flaws.”