A cybersecurity vulnerability was discovered in a tool developed by the Cybersecurity and Infrastructure Security Agency (CISA) intended to help government agencies procure secure software. The flaw, present in CISA’s “Software Acquisition Guide: Supplier Response Web Tool,” was identified by Jeff Williams, former leader of the Open Worldwide Application Security Project (OWASP), and subsequently fixed by CISA in December.
Williams reported the cross-site scripting vulnerability in September, according to CyberScoop. This type of exploit allows attackers to inject malicious JavaScript code into a web page, which can then be used to target other users of that same page or deface the website. Williams stated that the vulnerability should have been readily apparent to CISA, as it was the first test he performed.
CISA Addresses Software Acquisition Tool Vulnerability
The discovery of a flaw in a tool designed to promote secure software development has drawn commentary. Williams, who is also co-founder and chief technology officer of application security firm Contrast Security, expressed his view that the situation was “a little hypocritical” given CISA’s mission. He noted that while the vulnerability was not the most severe, it could still be considered significant by organizations that highly value their reputation.
Initially, the vulnerability reported through CISA’s bug bounty program was rejected as not critical enough. However, it later gained attention through CISA’s Vulnerability Information and Coordination Environment program. The process of resolving the issue was reportedly delayed, in part, by a government shutdown, though Williams estimated the fix itself would require minimal effort.
Background on CISA’s Role
CISA, frequently an advocate for robust cybersecurity practices, has not been immune to security incidents itself. In 2024, the agency disclosed a breach that necessitated notification to Congress. This incident highlights that even organizations focused on cybersecurity can be targets.
Robert Costello, CISA’s chief information officer, confirmed the agency’s response to the notification of a potential vulnerability. He stated that CISA acted promptly to address and patch the flaw, confirming there was no significant risk or known exploitation. Costello also indicated that process improvements have been identified for future vulnerability reports.
CISA, as a proponent of the Common Vulnerabilities and Exposures (CVE) program, followed standard coordinated disclosure procedures to document the vulnerability with a CVE identifier. The agency expressed appreciation for the report from the security researcher, characterizing the resolution as an example of operational collaboration.
The situation underscores the persistent challenges in securing software, particularly within government technology infrastructure. The subsequent CVE designation signifies the vulnerability’s formal recognition and tracking within the broader cybersecurity community. What remains to be seen is the extent to which CISA’s identified process improvements will enhance their response to future disclosures and ultimately strengthen the security posture of government acquisition tools.