Tech providers have been urged by the Cybersecurity and Infrastructure Security Agency and the FBI to implement additional security measures on top of input sanitization techniques to remove cross-site scripting vulnerabilities from their products, according to SecurityWeek.
Eliminating XSS flaws requires written threat model and code reviews, adversarial product testing, and advanced web frameworks for appropriate escaping or quoting, said the agencies in a joint alert. Both CISA and the FBI also called on vendors to adopt the secure by design principles of customer security outcome ownership, transparency and accountability, and organizational structure and leadership to ensure the absence of XSS issues. "To demonstrate their commitment to building their products that are secure by design, software manufacturers should consider taking the Secure by Design Pledge. The pledge lays out seven key goals that the signers commit to demonstrating measurable progress towards, including reducing systemic classes of vulnerability like cross-site scripting," the agencies added.