Source URL: https://www.ncsc.gov.uk/report/a-method-to-assess-forgivable-vs-unforgivable-vulnerabilities
Source: NCSC Feed
Title: A method to assess ‘forgivable’ vs ‘unforgivable’ vulnerabilities
Feedly Summary: Research from the NCSC designed to eradicate vulnerability classes and make the top-level mitigations easier to implement.
AI Summary and Description: Yes
Summary: This text addresses a pressing issue in software security, focusing on the categorization of vulnerabilities into ‘forgivable’ and ‘unforgivable’ based on their ease of mitigation. Its insights highlight systemic flaws in secure development practices and provide actionable recommendations for improving software security — vital for professionals in security and compliance roles.
Detailed Description:
The provided text discusses the increasing vulnerability landscape in software development, particularly centering on ‘unforgivable vulnerabilities’ — those that arise despite simple and known mitigation strategies. Key points include:
– **Increase in Vulnerabilities**: The text emphasizes the rising number of Common Vulnerabilities and Exposures (CVEs) in software, with the National Cyber Security Centre (NCSC) anticipating this trend will continue without appropriate interventions.
– **Forgivable vs. Unforgivable Vulnerabilities**: The main contribution of this paper is the classification of vulnerabilities:
– **Forgivable Vulnerabilities**: Defined by the difficulty of implementing known mitigations due to factors like subtlety or high costs.
– **Unforgivable Vulnerabilities**: These should not exist when mitigation strategies are trivial to implement, characterized by low cost and clear documentation.
– **Assessment Methodology**: The paper proposes a method to assess vulnerabilities based on the ease of implementation of top-level mitigations, using a scoring system. The scores are categorized as ‘easy’, ‘medium’, or ‘hard’.
– **Roots and Mitigation Analysis**: The text discusses the root causes of vulnerabilities using the CWE Top 25 Most Dangerous Software Weaknesses for 2023 and outlines 11 key mitigations needed to address these vulnerabilities.
– **Statistics on Software Defects**: It cites historical data demonstrating a consistent presence of software defects across various programming languages and environments, highlighting the intrinsic challenges in software development.
– **Call to Action for Vendors**: The NCSC urges software vendors to eliminate classes of vulnerabilities and ease the process of implementing effective mitigations within the development lifecycle, including securing development environments and encouraging secure programming.
– **Conclusions and Recommendations**: The document concludes with actionable strategies for software development, operating systems, and development environments to reduce vulnerabilities, calling for collaboration between vendors, developers, and security professionals.
In summary, this paper serves as a critical resource for professionals in software security, providing a framework for understanding and addressing the vulnerability landscape by focusing on both root causes and effective mitigations. It underscores the ongoing need for improved secure software development practices and collaboration among industry stakeholders to create secure software environments.