{"id":5361,"date":"2024-09-17T16:55:08","date_gmt":"2024-09-17T21:55:08","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/cisa-urges-software-makers-eliminate-xss-flaws"},"modified":"2024-09-17T16:55:08","modified_gmt":"2024-09-17T21:55:08","slug":"cisa-urges-software-makers-to-eliminate-xss-flaws","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/17\/cisa-urges-software-makers-to-eliminate-xss-flaws\/","title":{"rendered":"CISA Urges Software Makers to Eliminate XSS Flaws"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/blt87869938aa6d032b\/66eac1773255c9dfb5a7fbf4\/software-design-oleksiy-maksymenko-alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are urging organizations to focus on eliminating cross-site scripting vulnerabilities in their products before shipping them.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;Vulnerabilities like cross-site scripting (XSS) continue to appear in software, enabling threat actors to exploit them,&#8221; the agencies wrote in <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2024\/09\/17\/cisa-and-fbi-release-secure-design-alert-eliminating-cross-site-scripting-vulnerabilities\" rel=\"noopener\">their latest Secure by Design alert<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">. &#8220;[XSS] vulnerabilities are preventable and should not be present in software products.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">XSS vulnerabilities occur in Web applications when the developer did not properly validate, sanitize, or escape inputs. Malicious actors can use those input fields to insert and execute malicious scripts into the application, allowing them to manipulate and steal data. XSS was rated second on MITRE&#8217;s list of top 25 most dangerous software flaws in 2022 and is also included in <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/owasp.org\/Top10\/\" rel=\"noopener\">OWASP Top 10<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">. XSS flaws can be found in around two-thirds of all applications, according to OWASP.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/secure-design-alert-eliminating-cross-site-scripting-vulnerabilities\" rel=\"noopener\">CISA listed<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> the following recommendations:<\/span><\/p>\n<div data-component=\"basic-list\" class=\"BasicList BasicList_nestedLevel_0 BasicList_variant_unordered BasicList_limited\">\n<ul data-testid=\"basic-list-unordered\" class=\"BasicList-UnorderedList\">\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Review written threat models.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Ensure software validates input for both structure and meaning.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"10.5\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"16\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Use modern Web frameworks that offer easy-to-use functions for output encoding, to ensure proper escaping and quoting.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;[These] frameworks make it so that the burden doesn&#8217;t fall on developers to correctly escape user input every time,&#8221; the alert noted. The frameworks also have guidance on preventing edge cases that may lead to XSS vulnerabilities. And in cases where Web frameworks are unavailable, teams should ensure all user input in Web applications are properly escaped or sanitized.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Conduct code reviews.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"7\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Implement adversarial product testing to optimize code quality and security.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;Senior executives and business leaders should ask their teams how they are working to eliminate these defects and whether they are implementing a secure by design approach in their products,&#8221; the alert said.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">CISA unveiled its Secure by Design initiative in April 2023 to urge software manufacturers to focus on shipping products that are secure by design. There is a self-attestation form and a repository that software makers can use to provide security details about their products. Over 60 vendors have <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/endpoint-security\/tech-companies-promise-secure-by-design-products\" rel=\"noopener\">signed the Secure by Design pledge<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">, announcing their commitment to apply the <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/news-events\/news\/secure-design-turns-1\" rel=\"noopener\">seven core goals<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> outlined by CISA, including using multifactor authentication, reducing default passwords, reducing the prevalence of certain vulnerability classes, and improving patching.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The XSS alert is the seventh <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/securebydesign\/alerts\" rel=\"noopener\">Secure by Design alert<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> from CISA. These alerts highlight vulnerabilities that persist in software despite the availability of effective mitigations. The July alert urged software companies to eliminate path OS command injection vulnerabilities. The May and March alerts focused on eliminating path traversal and SQL injection flaws. In January, CISA provided <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-01\/SbD-Alert-Security-Design-Improvements-for-SOHO-Device-Manufacturers.pdf\" rel=\"noopener\">guidance on how to secure small office\/home office routers<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> against attempts to hijack them. Alerts last year recommended companies stop shipping software and devices with default passwords and secure Web management interfaces from attack.<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/application-security\/cisa-urges-software-makers-eliminate-xss-flaws\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The US Cybersecurity and Infrastructure Security Agency (CISA) and the<\/p>\n","protected":false},"author":12,"featured_media":5362,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5361","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?fit=2000%2C1125&ssl=1",2000,1125,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?fit=2000%2C1125&ssl=1",2000,1125,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/cisa-urges-software-makers-to-eliminate-xss-flaws.jpg?fit=2000%2C1125&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5361"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5361\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5362"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}