On September 17, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) published a Secure by Design Alert, cautioning senior executives and business leaders to be aware of and work to eliminate cross-site scripting (“XSS”) vulnerabilities in their products (the “Alert”).  XSS vulnerabilities allow “threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts.” 

Of note, the Alert urges senior executives and business leaders to prioritize eliminating such defects and to work with their technical leaders to implement a secure by design approach.  The Alert’s focus on senior executives and business leaders echoes efforts to emphasize the role of management in cybersecurity, such as the addition of a “Governance” function to the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework 2.0

The Alert encourages companies to follow the three principles outlined in the joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software:

Principle 1: Take Ownership of Customer Security Outcomes

The Alert states that software manufacturers should invest in “providing secure building blocks for developers” and implementing mechanisms, such as automated safeguards and static analysis tools, to prevent vulnerabilities on a large scale early in the development cycle.  In addition, senior executives should have their companies regularly test and conduct code reviews to detect software vulnerabilities.  The Alert cautions that “relying solely on detecting, mitigating, and patching vulnerabilities after they have been identified for years is not a sustainable security approach.”   

Principle 2: Embrace Radical Transparency and Accountability

The Alert encourages software manufacturers to “lead with transparency when disclosing product vulnerabilities” and recommends that they track and disclose product vulnerabilities to customers, using the CVE Program and CWE (Common Weakness Enumeration).  The Alert also notes that software manufacturers should maintain a modern vulnerability disclosure program (“VDP”).

Principle 3: Build Organizational Structure and Leadership to Achieve These Goals

The Alert states that senior executives and business leaders should (among other items):

  • Provide “the security of their products the same level of care they give to cost;”
  • Implement “the appropriate investments and develop the right incentive structures that promote security as a stated business goal;” 
  • Direct “programs to root out entire classes of vulnerability rather than addressing them on a case-by-case basis;”
  • Enact “organizational structures that prioritize proactive measures” to root out XSS vulnerabilities; and
  • Conduct “reviews to detect common and well-known vulnerabilities.”  

The Alert also encourages software manufacturers to consider taking the Secure by Design Pledge, which establishes seven key goals for combating vulnerabilities like XSS.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Matthew Harden Matthew Harden

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He…

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He works with clients across industries, including in the technology, financial services, defense, entertainment and media, life sciences, and healthcare industries.

As part of his cybersecurity practice, Matthew provides strategic advice on cybersecurity and data privacy issues, including cybersecurity investigations, cybersecurity incident response, artificial intelligence, and Internet of Things (IoT). He also assists clients with drafting, designing, and assessing enterprise cybersecurity and information security policies, procedures, and plans.

As part of his litigation and investigations practice, Matthew leverages his cybersecurity experience to advise clients on high-stakes litigation matters and investigations. He also maintains an active pro bono practice focused on veterans’ rights.

Matthew currently serves as a Judge Advocate in the U.S. Coast Guard Reserve.