Light Dark
August 2, 2024 By Josh Nadeau 3 min read
News

On July 10, 2024, CISA and the FBI released a new Secure by Design Alert that highlighted the dangers of OS (operating system) command injection vulnerabilities in common software products.

Although these vulnerabilities continue to surface in modern software solutions, well-defined Secure by Design principles already exist that manufacturers can follow to protect customers from malicious cyber actors.

Still, even though OS command injection vulnerabilities are preventable, they are considered a prevalent danger, which is why there has been increased awareness about the issue.

What are OS command injection vulnerabilities?

An OS command injection is a software design flaw that originates when the software fails to properly validate specific user inputs before allowing them to execute a system command.

This seemingly harmless flaw in the coding used to create various software features can be incredibly dangerous. It allows attackers to execute arbitrary commands in input fields, potentially allowing them to gain full administrative access to a targeted system.

How can software manufacturers effectively eliminate OS common injection vulnerabilities?

Preventable steps have been outlined for some time now on how software manufacturers can eliminate OS command injection vulnerabilities at scale. These preventative measures include:

  • Using built-in library functions: Rather than using raw strings when coding in Python, software developers should use pre-existing library functions designed specifically to handle user inputs more securely. Many of these pre-built functions have their own built-in input sanitation protocols that can prevent malicious code injections.
  • Establishing input parameterization: Input parameterization ensures that all user-supplied inputs are categorized as data and cannot be used as a command parameter. This separation is another technique that can minimize the chance of an injection attack.
  • Validating and limiting all inputs: Adequate protocols should validate and sanitize all user-supplied inputs to ensure they meet pre-established formats or patterns. Developers should also restrict the quantity and length of user inputs wherever possible, helping to reduce digital attack surfaces.

Important Secure by Design principles software manufacturers and customers should follow

CISA and the FBI have been working closely together to help guide manufacturers on taking over more ownership and control over their software design processes. This all begins with being open to change and placing higher priorities on cybersecurity readiness, especially regarding OS command injection exploits and other preventable vulnerabilities.

To help manufacturers improve this level of awareness, CISA and 17 U.S. and international partners have created a resource document titled Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software that outlines critical software product security principles.

The three core principles outlined in this document include:

  1. Take ownership of customer security outcomes.
  2. Embrace radical transparency and accountability.
  3. Build organizational structure and leadership to achieve these goals.

The guiding principles discussed in this resource are designed for both manufacturers and customers who purchase software for their organizations.

While providing actionable steps manufacturers can take to successfully embody the Secure by Design philosophy, this resource is also expected to be used as a template enterprise customers can incorporate into their procurement processes, vendor due diligence assessments and risk management procedures.

The Secure by Design pledge

In addition to the Secure by Design principles discussed, CISA is encouraging all enterprise software and service providers to go an important step further by taking the Secure by Design pledge. This volunteer pledge is primarily targeted toward on-premises software, cloud services and Software as a Service (SaaS) providers and is structured business goals focused on several key areas:

  • Multi-factor authentication (MFA)
  • Reduction of default passwords
  • Reduction of various classes of vulnerabilities
  • Timely security patches
  • Creation of vulnerability disclosure policies
  • Common Vulnerabilities and Exposures (CVE) reporting
  • Evidence of intrusions provided to customers

With OS common injection vulnerabilities continuing to persist, it’s clear that CISA and the FBI’s reminder is timely. These concerns should spur software manufacturers and their customers to consider how they should prioritize higher standards in digital security.

 |  |  |  |  |  |  |  |  | 
Josh Nadeau
Cybersecurity Writer

More from News
September 16, 2024

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

September 11, 2024

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

September 9, 2024

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature