How should a CISO deal with XSS?

I got many comments (thank you everyone, as i learnt a lot) for my article that i published some time back.

I realized that i need to explain my thoughts in a different way (as many people were of view that i am championing a person-with-no-technical-knowledge as CISO. In order to explain my thinking, let’s take a vulnerability like XSS and see how each role (from my previous article) should respond to it: –

  1. Security Analyst – He/she needs to showcase the PoC (Proof of Concept) of XSS, and not just share a text from OWASP website. In other words, the analyst needs to prove that the XSS (in this case) is exploitable, and how. We all know that not all XSS can be exploited, and market is already ripe with all those script kiddies who can just run some tools and email the report (after modifying the aesthetics).
  2. Security Manager– He/she needs to understand the impact to the application (e.g., what is the critical data here? Can it be lifted off because of this vulnerability? Can the system be taken over due to this vulnerability? Has it been proved here, with ample evidences so that i can take it to the CISO?)
  3. CISO — How important is this application to the company? Who are the customers for this application? Has the manager validated the vulnerability and the proof? Is it damaging our confidential data? What is being impacted here (C, I or A)? What else is affected here? Would it be possible to pivot to other important machines in our network after compromise of this system because of XSS? What are the other defense mechanisms in place to prevent a pivot? How much time will it take for this vulnerability to be patched? Would there be any downtime (during patch)? Can the customers of this application wait till the application is patched, tested, re-deployed? what can we do to expedite it (if it is so important to the company that downtime won’t be tolerated)?

After getting responses of all questions (in case of CISO performing role of manager, or vice-versa, he/she will have to ask both types of questions to the security analyst & to himself), he/she will have to decide the next course of action.

I, on my side, have seen critical application vulnerabilities & resulting risks being accepted during an engagement because no downtime could be afforded. Instead, in this case, the CISO (after discussing with the penetration tester) created an exploit video, demonstrating the impact. He then got a WAF (Web Application Firewall) deployed before the app (with new rules to handle the XSS, which were created by the penetration tester. He had gotten relevant clauses inserted in the PT engagement beforehand, predicting the shortage of resources and possible blockages by management) and used the video to increase management awareness. He got approval for the system upgrade, subject to the condition that the old copy will remain behind WAF till the new copy is developed and tested.

He was able to do all this because

1. He asked pertinent questions to understand the issue

2. He drove the penetration tester harder, asking for PoC, getting all relevant contractual clauses in place so that he gets the necessary support, etc.

3. He had a game plan in place to handle the vulnerabilities.

If i put understanding of XSS on a scale of 1–10, with

1 — knowledge of expansion of XSS

2 — understanding a visual representation of how XSS works (e.g., something on the lines of this URL https://www.acunetix.com/wp-content/uploads/2014/03/reflected-xss.png)

3 — Understanding the impact of XSS (either by pestering the penetration tester to prove it or going through online examples like this URL — https://security.stackexchange.com/questions/1368/can-anybody-explain-xss OR http://www.12robots.com/index.cfm/2010/9/14/whats-possible-with-xss–security-series-81)

4 — Ability to explain, with example of, XSS code (e.g., something like this URL — https://security.stackexchange.com/questions/1368/can-anybody-explain-xss)

5 — Ability to identify the vulnerability through automated tools (like burp or acunetix, etc.)

6 — Ability to identify the vulnerability without any tool (manually)

7–10 — Ability to understand XSS on a deeper technical level (ability to exploit XSS through various methods)

As you can see, steps 1–4 can be done by someone with basic knowledge of information security (and i am full advocate of a CISO having spent some time in this field. I don’t expect a newbie-in-infosec-but-a-veteran-in-management to succeed in this field). Script kiddies can handle the step #5, but you need a technical person to perform well between 6–10.

I am increasingly seeing this issue. One needs to understand how XSS works and its impact on that application and, as a consequence, the organization. One also need to understand the various defensive measures that are present in the industry. However, as a decision maker, your technical skills won’t save you if you do not have decision making skills. Decision making is a skill in itself that takes tremendous practice.