On April 17, 2024, the Federal Trade Commission (FTC) published a blog on security principles: addressing vulnerabilities systematically. In particular, the FTC highlighted that poor security practices have been apparent in its enforcement actions. The FTC noted that in addressing security vulnerabilities, 'human error' is not an appropriate diagnosis for successfully exploited vulnerabilities.

The FTC provides approaches to vulnerabilities that may entirely prevent them or dramatically reduce the likelihood of them occurring. These include:

• cross-site scripting (XSS), which can be effectively addressed by using template rendering systems that default to escaping output, rather than requiring developers to correctly mark every variable that is rendered unsafe;
• SQL injection, which can be addressed with query builders and other APIs that clearly delineate between attacker-controlled data and the structure of the query; and
• buffer overflows and use-after-free vulnerabilities, which can be addressed through the use of memory-safe programming languages, rather than using memory-unsafe programming languages.

In addition, the FTC detailed that the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design Series provides guidance on the above.

Finally, the FTC clarified that recent enforcement actions have made it clear that companies have a legal obligation to effectively protect consumers' data, and that unfair or deceptive acts may violate the Federal Trade Commission Act (the FTC Act).

You can read the blog here.