CISA and the Federal Bureau of Investigation (FBI) have released a Secure by Design Alert, Eliminating Buffer Overflow Vulnerabilities, as part of their cooperative Secure by Design Alert series—an ongoing series aimed at advancing industry-wide best practices to eliminate entire classes of vulnerabilities during the design and development phases of the product lifecycle. The Alert describes proven techniques to prevent or mitigate buffer overflow vulnerabilities through secure by design principles and best practices.
Buffer overflow vulnerabilities are a prevalent type of defect in memory-safe software design that can lead to system compromise. These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution. Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network, and then move laterally to the wider network.
CISA and FBI urge manufacturers to review the Alert and, where feasible, eliminate this class of defect by developing new software using memory-safe languages, using secure by design methods, and implementing the best practices supplied in this Alert. CISA and FBI also urge software customers to demand secure products from manufacturers that include these preventions.
CISA’s Secure by Design Pledge page offers more details on enterprise software products and services—including on-premises software, cloud services, and software as a service (SaaS).
