XSS vulnerabilities have been a general nuisance for years, but a new alert from CISA and the FBI points out that they represent a national security risk and a notable financial drain on the country.
To that end, the agencies are providing guidance to software development firms in the hopes of significantly cutting down on them. The alert, which follows several similar bulletins issued earlier this year on different threat types, is written primarily for business leaders and executives that oversee technical teams.
“Secure by Design” framed as national security concern
CISA’s alerts of this nature this year have tied in with its “Secure by Design” pledge, which asks organizations to commit to marked improvements in several different areas of security within a year’s time. This pledge is voluntary, but is meant to address a wide range of common vulnerabilities that should be relatively easy to cut down yet continue to be a significant problem across the threat landscape.
In terms of XSS vulnerabilities, CISA would like to see organizations do more to specifically address them. While input sanitization is commonly employed to filter these issues out, it is no longer seen as singularly effective. The agencies are looking to see bolstered methods such as use of modern web frameworks, code reviews and ongoing adversarial testing throughout development.
The Secure by Design pledge also stresses transparency and accountability. CISA suggests that organizations keep public-facing documentation, such as blog posts and roadmaps, to document their journey in reducing XSS vulnerabilities (as well as other types of threats).
Legitimate national security concerns do tend to prompt these alerts for long-known vulnerabilities, when nation-state threat actors are spotted having a high rate of success in using them to penetrate targets. XSS vulnerabilities remain rampant in software, and it is not uncommon for individual applications to have dozens when scanned. This problem is also not limited to lesser-known or open-source software; tech’s biggest names are culpable as well.
CISA advises business leaders on XSS vulnerabilities
The alert is less specific technical advice for coders, and more leadership advice for executives in terms of setting priorities, employing proven techniques and keeping in communication with technical teams about goals and progress.
The bulk of the alert focuses on three principles suggested to leaders to adopt: ownership of customer security outcomes, “radical” transparency and accountability, and how leadership should build organizational structure to best address XSS vulnerabilities. The “ownership” concept essentially encourages developers to take on more responsibility at the development end, especially early in the process. Ideally this would reduce the amount of patching that end users have to do to keep up with emerging vulnerabilities, something that creates a tremendous workload across the entire IT field.
In terms of getting “radical” with transparency and accountability, the alert mostly sees that as promptly disclosing and accounting for XSS vulnerabilities in the CVE system, and perhaps keeping a blog or similar public source that documents updates when these vulnerabilities appear. And in terms of addressing organization structure, the alert notes some ways in which cost savings can be realized with a commitment to security by design from the beginning of new projects.