On July 10, 2024, CISA and the FBI released a new Secure by Design Alert that highlighted the dangers of OS (operating system) command injection vulnerabilities in common software products.

Although these vulnerabilities continue to surface in modern software solutions, well-defined Secure by Design principles already exist that manufacturers can follow to protect customers from malicious cyber actors.

Still, even though OS command injection vulnerabilities are preventable, they are considered a prevalent danger, which is why there has been increased awareness about the issue.

What are OS command injection vulnerabilities?

An OS command injection is a software design flaw that originates when the software fails to properly validate specific user inputs before allowing them to execute a system command.

This seemingly harmless flaw in the coding used to create various software features can be incredibly dangerous. It allows attackers to execute arbitrary commands in input fields, potentially allowing them to gain full administrative access to a targeted system.

How can software manufacturers effectively eliminate OS common injection vulnerabilities?

Preventable steps have been outlined for some time now on how software manufacturers can eliminate OS command injection vulnerabilities at scale. These preventative measures include:

• Using built-in library functions: Rather than using raw strings when coding in Python, software developers should use pre-existing library functions designed specifically to handle user inputs more securely. Many of these pre-built functions have their own built-in input sanitation protocols that can prevent malicious code injections.
• Establishing input parameterization: Input parameterization ensures that all user-supplied inputs are categorized as data and cannot be used as a command parameter. This separation is another technique that can minimize the chance of an injection attack.
• Validating and limiting all inputs: Adequate protocols should validate and sanitize all user-supplied inputs to ensure they meet pre-established formats or patterns. Developers should also restrict the quantity and length of user inputs wherever possible, helping to reduce digital attack surfaces.

Important Secure by Design principles software manufacturers and customers should follow

CISA and the FBI have been working closely together to help guide manufacturers on taking over more ownership and control over their software design processes. This all begins with being open to change and placing higher priorities on cybersecurity readiness, especially regarding OS command injection exploits and other preventable vulnerabilities.

To help manufacturers improve this level of awareness, CISA and 17 U.S. and international partners have created a resource document titled Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software that outlines critical software product security principles.

The three core principles outlined in this document include:

1. Take ownership of customer security outcomes.
2. Embrace radical transparency and accountability.
3. Build organizational structure and leadership to achieve these goals.

The guiding principles discussed in this resource are designed for both manufacturers and customers who purchase software for their organizations.

While providing actionable steps manufacturers can take to successfully embody the Secure by Design philosophy, this resource is also expected to be used as a template enterprise customers can incorporate into their procurement processes, vendor due diligence assessments and risk management procedures.

The Secure by Design pledge

In addition to the Secure by Design principles discussed, CISA is encouraging all enterprise software and service providers to go an important step further by taking the Secure by Design pledge. This volunteer pledge is primarily targeted toward on-premises software, cloud services and Software as a Service (SaaS) providers and is structured business goals focused on several key areas:

• Multi-factor authentication (MFA)
• Reduction of default passwords
• Reduction of various classes of vulnerabilities
• Timely security patches
• Creation of vulnerability disclosure policies
• Common Vulnerabilities and Exposures (CVE) reporting
• Evidence of intrusions provided to customers

With OS common injection vulnerabilities continuing to persist, it’s clear that CISA and the FBI’s reminder is timely. These concerns should spur software manufacturers and their customers to consider how they should prioritize higher standards in digital security.