Subj : FBI and CISA tell devs to crack down on security issues before re To : All From : TechnologyDaily Date : Fri May 03 2024 16:15:05 FBI and CISA tell devs to crack down on security issues before releasing Date: Fri, 03 May 2024 15:00:00 +0000 Description: Despite it being well-documented, path traversal remains a major pain point, two agencies said in a security alert. FULL STORY ====================================================================== The U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), published a new joint security alert earlier this week, urging software developers to keep path traversal in mind when developing software products. Path traversal is a software vulnerability also known as directory traversal, or directory climbing. By abusing this flaw, threat actors can access sensitive files and directories. The hole typically arises in web applications or systems that dynamically construct file paths based on user input without properly validating or sanitizing it. According to the two agencies, path traversal is a persistent class of defect in software products, despite it being well-documented and having effective elimination approaches, at scale, for more than two decades. Demanding action Software manufacturers continue to put customers at risk by developing products that allow for directory traversal exploitation, the alert reads, adding that threat actors are constantly abusing path traversal to target the healthcare and public health sectors. Right now, CISA has 55 path traversal vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog, signaling in-the-wild abuse. Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations, the alert further states. CISA and the FBI urge software manufacturer executives to require their organizations to conduct formal testing (see OWASP testing guidance) to determine their products susceptibility to directory traversal vulnerabilities. The two agencies also urge all software users to inquire with their partners, if they had conducted formal directory traversal testing. Should manufacturers discover their systems lack the appropriate mitigations, they should ensure their software developers immediately implement mitigations to eliminate this entire class of defect from all products. Building security into products from the beginning can eliminate directory traversal vulnerabilities, the two concluded. More from TechRadar Pro SysAid tells customers to patch immediately after Microsoft flags ransomware campaign exploiting new zero-day flaw Here's a list of the best firewalls around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/fbi-and-cisa-tell-devs-to-crack-down-on -security-issues-before-releasing --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .