Eradicating Trivial Vulnerabilities at Scale
Eradicating Trivial Vulnerabilities at Scale
In the NCSC’s 2024 Annual Review, we described how fixing foundational vulnerabilities in software code is essential to improve digital resilience across the globe. The report emphasized the need to address decades of misaligned incentives that prioritized features and speed to market over fixing vulnerabilities that can enhance security at scale. However, the vulnerabilities referred to in the Annual Review—those that are trivial to find and occur repeatedly—are the ones the NCSC aims to reduce significantly.
These ‘unforgivable vulnerabilities,’ a term coined by Steve Christie in his 2007 MITRE paper, are ‘beacons of a systematic disregard for secure development practices. They simply should not appear in software that has been designed, developed, and tested with security in mind.’ 🚫
A new paper by the NCSC, titled ‘A Method to Assess ‘Forgivable’ vs ‘Unforgivable’ Vulnerabilities’, extends the ideas introduced in the MITRE paper and proposes a method for security researchers to evaluate whether a vulnerability is ‘forgivable’ or ‘unforgivable’. This method effectively quantifies how easily the mitigations required to manage the vulnerability could be applied. Vulnerabilities with ‘easy’ mitigations can be subjectively declared as ‘unforgivable’ or not. More importantly, the paper aims to spark discussion with vendors, urging them to work towards eradicating vulnerability classes and making the top-level mitigations discussed easier to implement.
Most of the 13 ‘unforgivable vulnerabilities’ mentioned in the original MITRE 2007 paper still exist in one form or another. At the core of this research is the desire to eliminate these vulnerability classes and simplify the implementation of top-level mitigations. The NCSC believes this can be best achieved by enhancing the security of operating systems, improving development frameworks, and encouraging developers and vendors to adopt secure programming concepts. Additionally, many vulnerabilities can be eradicated using approaches outlined by CISA Secure by Design and the voluntary Code of Practice for Software Vendors, a systemic intervention by the UK government aimed at software vendors, designed to ensure that security is ‘baked into’ software. This initiative will start as a voluntary code, but further policy interventions to support its uptake and impact are currently being explored. 🔒
To read the complete article see: Read full article
RISE-IRELAND is April 14-15, get on the waitlist at RISE-IRELAND. Call for papers is still open, and it’s a great way to get in if your offer is accepted: Submit Abstract.