In the NCSC’s 2024 Annual Review, we highlighted the essential need to address ‘foundational vulnerabilities’ in software code to enhance global digital resilience. The publication, titled ‘Market incentives and the future of technology security‘, emphasized the urgency of rectifying years of misaligned incentives that have favored ‘features’ and ‘rapid deployment’ over rectifying vulnerabilities that can bolster security on a wider scale.
All systems inherently contain vulnerabilities, many of which are intricate and challenging to avoid.
Nevertheless, the vulnerabilities stressed in the Annual Review—those that are trivial to identify and frequently recur—are those the NCSC seeks to diminish significantly. These issues, dubbed ‘unforgivable vulnerabilities’ by Steve Christie in his 2007 MITRE report, are described as ‘indicators of a persistent neglect for secure development practices. Such vulnerabilities should not exist in software meticulously designed, developed, and tested with security principles in focus’.
A recent paper by the NCSC (‘A method to assess ‘forgivable’ vs ‘unforgivable’ vulnerabilities’) builds upon the concepts presented in the MITRE report, offering a methodological framework for security researchers to evaluate whether a vulnerability can be considered ‘forgivable’ or ‘unforgivable’. This approach effectively quantifies the ease with which required mitigations for the vulnerability can be implemented. Vulnerabilities with straightforward mitigations may be categorized as ‘unforgivable’ or otherwise.
Furthermore, this paper aims to foster dialogue with vendors and urges them to collaborate on eliminating classes of vulnerabilities while making the primary mitigations discussed more accessible to deploy.
Many of the 13 ‘unforgivable vulnerabilities’ initially identified in the MITRE 2007 report persist in various forms. The objective of this research is to eradicate these vulnerability classes and facilitate the implementation of top-level mitigations. The NCSC believes that enhancing operating system security, refining development frameworks, and encouraging secure programming practices among developers and vendors are key to achieving this goal.
While vulnerabilities can be difficult to circumvent, many can be eliminated with the right tools and strategies, such as those proposed by CISA Secure by Design and the voluntary Code of Practice for Software Vendors. This is a systemic initiative by the UK government designed to ensure that security principles are ‘integrated into’ software development processes. It will begin as a voluntary standard, with further policy measures being evaluated to enhance its adoption and effectiveness.
The Code of Practice will be released later this year, along with guidance aimed at facilitating the technical controls necessary for organizations to comply with the code.
Ollie N
Head of Vulnerability Management
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/eradicating-trivial-vulnerabilities-at-scale
