On September 17, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) published a Secure by Design Alert, cautioning senior executives and business leaders to be aware of and work to eliminate cross-site scripting (“XSS”) vulnerabilities in their products (the “Alert”). XSS vulnerabilities allow “threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts.”
Of note, the Alert urges senior executives and business leaders to prioritize eliminating such defects and to work with their technical leaders to implement a secure by design approach. The Alert’s focus on senior executives and business leaders echoes efforts to emphasize the role of management in cybersecurity, such as the addition of a “Governance” function to the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework 2.0.
The Alert encourages companies to follow the three principles outlined in the joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software:
Principle 1: Take Ownership of Customer Security Outcomes
The Alert states that software manufacturers should invest in “providing secure building blocks for developers” and implementing mechanisms, such as automated safeguards and static analysis tools, to prevent vulnerabilities on a large scale early in the development cycle. In addition, senior executives should have their companies regularly test and conduct code reviews to detect software vulnerabilities. The Alert cautions that “relying solely on detecting, mitigating, and patching vulnerabilities after they have been identified for years is not a sustainable security approach.”
Principle 2: Embrace Radical Transparency and Accountability
The Alert encourages software manufacturers to “lead with transparency when disclosing product vulnerabilities” and recommends that they track and disclose product vulnerabilities to customers, using the CVE Program and CWE (Common Weakness Enumeration). The Alert also notes that software manufacturers should maintain a modern vulnerability disclosure program (“VDP”).
Principle 3: Build Organizational Structure and Leadership to Achieve These Goals
The Alert states that senior executives and business leaders should (among other items):
- Provide “the security of their products the same level of care they give to cost;”
- Implement “the appropriate investments and develop the right incentive structures that promote security as a stated business goal;”
- Direct “programs to root out entire classes of vulnerability rather than addressing them on a case-by-case basis;”
- Enact “organizational structures that prioritize proactive measures” to root out XSS vulnerabilities; and
- Conduct “reviews to detect common and well-known vulnerabilities.”
The Alert also encourages software manufacturers to consider taking the Secure by Design Pledge, which establishes seven key goals for combating vulnerabilities like XSS.