Eradicating Trivial Vulnerabilities at Scale

Eradicating Trivial Vulnerabilities at Scale

In the NCSC’s 2024 Annual Review, we described how fixing foundational vulnerabilities in software code is required to improve digital resilience across the globe. Market incentives and the future of technology security stressed the need to address decades of misaligned incentives that prioritized features and speed to market at the expense of fixing vulnerabilities that can improve security, at scale. However, the vulnerabilities referred to in the Annual Review (those that are trivial to find and occur repeatedly) are ones that the NCSC aims to drive down at scale. These ‘unforgivable vulnerabilities’, a phrase coined by Steve Christie in his 2007 MITRE paper, are ‘beacons of a systematic disregard for secure development practices. They simply should not appear in software that has been designed, developed, and tested with security in mind’.

A new paper by the NCSC (‘A method to assess ‘forgivable’ vs ‘unforgivable’ vulnerabilities’) extends the ideas introduced in the MITRE paper and proposes a method that allows security researchers to assess if a vulnerability is ‘forgivable’ or ‘unforgivable’. The method outlined in the paper effectively quantifies how easily the mitigations required to manage the vulnerability could be applied. Vulnerabilities with ‘easy’ mitigations can subjectively be declared as ‘unforgivable’, or not. More importantly, the paper intends to generate discussion with vendors and is a call on them to work to eradicate vulnerability classes and make the top-level mitigations discussed in the paper easier to implement.

Most of the 13 ‘unforgivable vulnerabilities’ mentioned in the original MITRE 2007 paper still exist in one form or another. At the core of this research is the desire to eradicate vulnerability classes and make the top-level mitigations easier to implement. The NCSC believes this can be best done by making operating systems more secure, improving development frameworks, and encouraging developers and vendors to adopt secure programming concepts. Additionally, many vulnerabilities can be eradicated using approaches such as those outlined by CISA Secure by Design and the voluntary Code of Practice for Software Vendors, a systemic intervention by the UK government aimed at software vendors, designed to ensure that security is ‘baked into’ software. It will begin as voluntary code, but further policy interventions to support its uptake and impact are currently being explored.

To read the complete article see: Read full article 🚀