Light Dark
August 2, 2024 By Josh Nadeau 3 min read
News

On July 10, 2024, CISA and the FBI released a new Secure by Design Alert that highlighted the dangers of OS (operating system) command injection vulnerabilities in common software products.

Although these vulnerabilities continue to surface in modern software solutions, well-defined Secure by Design principles already exist that manufacturers can follow to protect customers from malicious cyber actors.

Still, even though OS command injection vulnerabilities are preventable, they are considered a prevalent danger, which is why there has been increased awareness about the issue.

What are OS command injection vulnerabilities?

An OS command injection is a software design flaw that originates when the software fails to properly validate specific user inputs before allowing them to execute a system command.

This seemingly harmless flaw in the coding used to create various software features can be incredibly dangerous. It allows attackers to execute arbitrary commands in input fields, potentially allowing them to gain full administrative access to a targeted system.

How can software manufacturers effectively eliminate OS common injection vulnerabilities?

Preventable steps have been outlined for some time now on how software manufacturers can eliminate OS command injection vulnerabilities at scale. These preventative measures include:

  • Using built-in library functions: Rather than using raw strings when coding in Python, software developers should use pre-existing library functions designed specifically to handle user inputs more securely. Many of these pre-built functions have their own built-in input sanitation protocols that can prevent malicious code injections.
  • Establishing input parameterization: Input parameterization ensures that all user-supplied inputs are categorized as data and cannot be used as a command parameter. This separation is another technique that can minimize the chance of an injection attack.
  • Validating and limiting all inputs: Adequate protocols should validate and sanitize all user-supplied inputs to ensure they meet pre-established formats or patterns. Developers should also restrict the quantity and length of user inputs wherever possible, helping to reduce digital attack surfaces.

Important Secure by Design principles software manufacturers and customers should follow

CISA and the FBI have been working closely together to help guide manufacturers on taking over more ownership and control over their software design processes. This all begins with being open to change and placing higher priorities on cybersecurity readiness, especially regarding OS command injection exploits and other preventable vulnerabilities.

To help manufacturers improve this level of awareness, CISA and 17 U.S. and international partners have created a resource document titled Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software that outlines critical software product security principles.

The three core principles outlined in this document include:

  1. Take ownership of customer security outcomes.
  2. Embrace radical transparency and accountability.
  3. Build organizational structure and leadership to achieve these goals.

The guiding principles discussed in this resource are designed for both manufacturers and customers who purchase software for their organizations.

While providing actionable steps manufacturers can take to successfully embody the Secure by Design philosophy, this resource is also expected to be used as a template enterprise customers can incorporate into their procurement processes, vendor due diligence assessments and risk management procedures.

The Secure by Design pledge

In addition to the Secure by Design principles discussed, CISA is encouraging all enterprise software and service providers to go an important step further by taking the Secure by Design pledge. This volunteer pledge is primarily targeted toward on-premises software, cloud services and Software as a Service (SaaS) providers and is structured business goals focused on several key areas:

  • Multi-factor authentication (MFA)
  • Reduction of default passwords
  • Reduction of various classes of vulnerabilities
  • Timely security patches
  • Creation of vulnerability disclosure policies
  • Common Vulnerabilities and Exposures (CVE) reporting
  • Evidence of intrusions provided to customers

With OS common injection vulnerabilities continuing to persist, it’s clear that CISA and the FBI’s reminder is timely. These concerns should spur software manufacturers and their customers to consider how they should prioritize higher standards in digital security.

 |  |  |  |  |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from News
November 18, 2024

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

October 28, 2024

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature