HomeRisk ManagementsNCSC Urges Vendors to Eliminate Unforgivable Vulnerabilities

NCSC Urges Vendors to Eliminate Unforgivable Vulnerabilities

Published on

spot_img

The call for improved developer security practices to wipe out an entire class of vulnerabilities at their source has been made by the UK’s leading cybersecurity agency, the National Cyber Security Centre (NCSC). In a blog post on Wednesday, the agency emphasized the importance of eradicating these “unforgivable vulnerabilities” by making it easier for vendors and developers to implement top-level mitigations.

NCSC’s head of vulnerability management, Ollie N, highlighted the need for operating systems to be more secure, development frameworks to be improved, and for developers and vendors to adopt secure programming concepts. The agency believes that by using the right tools and approaches outlined by initiatives like CISA Secure by Design and the Code of Practice for Software Vendors, many vulnerabilities can be eliminated.

The upcoming voluntary code of practice for software vendors, set to be published later this year, aims to encourage secure programming practices and ensure that security is integrated into software from the start. Ollie N mentioned that although the code will initially be voluntary, this approach may evolve in the future.

To assist security researchers in assessing the severity of vulnerabilities, NCSC has released a new paper outlining criteria for determining whether vulnerabilities are forgivable or unforgivable. The agency stressed that some vulnerabilities should not exist in software as mitigations are simple to implement, such as being well-documented, low-cost, and not relying on complex requirements.

The paper urged the industry to implement top-level mitigations in three key areas: operating systems, integrated development environments (IDEs), and secure programming concepts for developers and vendors. It called for operating systems to remove unsafe functions, IDEs to support secure programming languages, and for the adoption of technologies like Rust and CHERI.

Despite the increasing number of Common Vulnerabilities and Exposures (CVEs) each year, which pose challenges to end-user organizations, the market lacks incentives to address unforgivable bugs at the source. The NCSC’s annual review highlighted how the software industry prioritizes new features and speed to market over security. Ollie N emphasized the need to align incentives to focus on fixing vulnerabilities to improve security on a larger scale.

The agency’s paper aims to spark discussions with vendors and encourages them to collaborate in eradicating vulnerability classes and implementing the top-level mitigations outlined. By addressing these issues, the cybersecurity community can work towards a more secure digital landscape for users worldwide.

Source link

Latest articles

Attackers conceal malicious code within Hugging Face AI model Pickle files

In the realm of machine learning (ML) models, Pickle stands out as a popular...

Ghidra 11.3 release includes new features, performance enhancements, and bug fixes

The NSA's Research Directorate recently announced the release of Ghidra 11.3, the latest version...

Google Mandiant identifies MSI flaw in Lakeside Software

A vulnerability in a Microsoft software installer developed by Lakeside Software has been discovered,...

Can Your Security Measures Backfire on You?

In the realm of cybersecurity, the age-old concept of breaching defenses to launch an...

More like this

Attackers conceal malicious code within Hugging Face AI model Pickle files

In the realm of machine learning (ML) models, Pickle stands out as a popular...

Ghidra 11.3 release includes new features, performance enhancements, and bug fixes

The NSA's Research Directorate recently announced the release of Ghidra 11.3, the latest version...

Google Mandiant identifies MSI flaw in Lakeside Software

A vulnerability in a Microsoft software installer developed by Lakeside Software has been discovered,...