- Important Updates Announced for Merchants Validating to Self-Assessment Questionnaire A
- The smartwatch I'm most excited for in 2025 isn't an Apple Watch or Google Pixel
- US Justice Department sues to block HPE's $14 billion Juniper buy
- The best Linux distributions for beginners in 2025: Expert tested and reviewed
- Google Blocked 2.36 Million Policy-Violating Apps
NCSC Calls on Vendors to Eradicate “Unforgivable” Vulnerabilities
The UK’s leading cybersecurity agency has called on the software industry to wipe out an entire class of vulnerabilities at source, through improved developer security practices.
The National Cyber Security Centre (NCSC) argued in a blog post on Wednesday that it wants to eradicate these so-called “unforgivable vulnerabilities,” by making “top-level” mitigations easier for vendors and developers to implement.
“The NCSC believe this can be best done by making operating systems more secure, by improving development frameworks, and by encouraging developers and vendors to adopt secure programming concepts,” wrote NCSC head of vulnerability management, Ollie N.
“Whilst vulnerabilities are hard to avoid, we can eradicate many using the right tools and approaches, such as those outlined by CISA Secure by Design and the voluntary Code of Practice for Software Vendors, a systemic intervention by the UK government aimed at software vendors, and designed to ensure that security is ‘baked into’ software.”
Read more on vulnerabilities: NVD Leaves Exploited Vulnerabilities Unchecked
Set to be published later this year, that code will begin as a voluntary set of practices, but this could change in the future, Ollie N wrote.
In the meantime, the NCSC has launched a new paper designed to make it easier for security researchers to assess if vulnerabilities are “forgivable” or “unforgivable,” in a bid to put pressure on the market.
It explained that some vulnerabilities simply should not exist in software because mitigations are simple to implement. This could be because:
- The mitigation is fully documented
- It is cheap to implement
- The technical implementation of the mitigation does not rely on “too many (or too complex) prerequisites”
The paper called for industry to implement top-level mitigations in three key areas:
- Operating systems should ban/remove unsafe functions and make high impact mitigations easier to implement via APIs, or enforce their use. They should also handle security and reliability in common frameworks, APIs and libraries
- Integrated Development Environments (IDEs) should make it easier to use secure programming languages, integrate trusted third-party frameworks and libraries, highlight bugs in source code and more
- Developers and vendors should enforce the use of secure programming concepts, such as catching bugs during development, and consider adoption of Rust and CHERI technologies
Incentivizing Software Vendors
CVEs are increasing annually to record highs as the global code base grows and both researchers and threat actors get better at finding vulnerabilities.
Yet although the challenges this represents for end-user organizations could be significantly mitigated if unforgivable bugs were addressed at source, the market is simply not incentivized currently to make this happen, the NCSC argued.
In its annual review, it bemoaned the prioritization of new features over security in the software industry.
“[The review] stressed the need to address decades of misaligned incentives that prioritized ‘features’ and ‘speed to market’ at the expense of fixing vulnerabilities that can improve security, at scale,” said Ollie N.
“This paper intends to generate discussion with vendors, and is a call on them to work to eradicate vulnerability classes and make the top-level mitigations discussed in the paper easier to implement.”
