XSS – or cross site scripting— is a prolific vulnerability and has been on the Open Web Application Security Project’s ‘Top 10 most exploited vulnerabilities’ for at least five years now. The threat is very common and incredibly easy for users to fall victim to. In the OWASP’s words, we can’t afford to tolerate relatively simple security issues like this, especially for a company as massive as eBay.
Fortunately the methods and remedies to reduce the threat of XSS are well-known and are readily available. Unfortunately, the development community are not recognising the need to deploy them. Developers need to be trained to write secure code, and testers to test for security, have the instincts to look for a comprehensive list of vulnerabilities that they should try to exploit before the website/software goes live. This requires a whole new set of parameters than the ones they are used to when testing for usability flaws. Fully qualified and certified individuals, such as those holding (ISC)2’s CISSP or CSSLP, should also be involved throughout the entire process – from start to finish.
Ultimately, the solution to the XSS problem is relatively simple – sites need to update their current code to remove the vulnerability. Functionality for the user would not be impaired, providing the code running in the browser and application was written properly.
To make this happen requires commitment from management to prioritise security in the development process. The fact that such a fixable flaw remains prevalent is telling. Companies reliant on web-based enterprise should surely see the need to invest properly in developing both awareness and competency within their development teams, and ensure the same is happening with their coding supply chain.
Often individual developers are aware of this issue but are unable to do much about it, as they are not encouraged or incentivised by the companies they are coding for or the business imperatives they are given. Few are working in an environment that allows them to invest time in understanding the issues, and thereby pursue security competency and address it. This is an issue that must rise above the purely technical considerations and get onto the agendas of the management and business leaders that are driving the development projects. Only then would we see investment in curbing incidents like these.
-Dr. Adrian Davis, Managing Director, EMEA, (ISC)2