The call for improved developer security practices to wipe out an entire class of vulnerabilities at their source has been made by the UK’s leading cybersecurity agency, the National Cyber Security Centre (NCSC). In a blog post on Wednesday, the agency emphasized the importance of eradicating these “unforgivable vulnerabilities” by making it easier for vendors and developers to implement top-level mitigations.
NCSC’s head of vulnerability management, Ollie N, highlighted the need for operating systems to be more secure, development frameworks to be improved, and for developers and vendors to adopt secure programming concepts. The agency believes that by using the right tools and approaches outlined by initiatives like CISA Secure by Design and the Code of Practice for Software Vendors, many vulnerabilities can be eliminated.
The upcoming voluntary code of practice for software vendors, set to be published later this year, aims to encourage secure programming practices and ensure that security is integrated into software from the start. Ollie N mentioned that although the code will initially be voluntary, this approach may evolve in the future.
To assist security researchers in assessing the severity of vulnerabilities, NCSC has released a new paper outlining criteria for determining whether vulnerabilities are forgivable or unforgivable. The agency stressed that some vulnerabilities should not exist in software as mitigations are simple to implement, such as being well-documented, low-cost, and not relying on complex requirements.
The paper urged the industry to implement top-level mitigations in three key areas: operating systems, integrated development environments (IDEs), and secure programming concepts for developers and vendors. It called for operating systems to remove unsafe functions, IDEs to support secure programming languages, and for the adoption of technologies like Rust and CHERI.
Despite the increasing number of Common Vulnerabilities and Exposures (CVEs) each year, which pose challenges to end-user organizations, the market lacks incentives to address unforgivable bugs at the source. The NCSC’s annual review highlighted how the software industry prioritizes new features and speed to market over security. Ollie N emphasized the need to align incentives to focus on fixing vulnerabilities to improve security on a larger scale.
The agency’s paper aims to spark discussions with vendors and encourages them to collaborate in eradicating vulnerability classes and implementing the top-level mitigations outlined. By addressing these issues, the cybersecurity community can work towards a more secure digital landscape for users worldwide.