The Gaming Boardroom

Eradicating trivial vulnerabilities, at scale

Steve Tyler Leave a comment

Eradicating trivial vulnerabilities, at scale

Summary

The National Cyber Security Centre (NCSC) has published a paper — “A method to assess ‘forgivable’ vs ‘unforgivable’ vulnerabilities” — that builds on MITRE’s concept of ‘unforgivable vulnerabilities’. The paper proposes a practical method to assess whether a vulnerability is forgivable or unforgivable by quantifying how easy it would be to apply mitigations. It is a call to vendors and the wider software industry to remove trivial, repeatedly occurring vulnerability classes by making mitigations easier to adopt and integrating secure practices into development frameworks and operating systems.

The NCSC links this work to ongoing initiatives such as CISA’s Secure by Design and the UK government’s forthcoming voluntary Code of Practice for Software Vendors, which aims to bake security into software and encourage systemic improvements across the supply chain.

Key Points

  • The new NCSC paper provides a method to classify vulnerabilities as ‘forgivable’ or ‘unforgivable’ based on how easily mitigations can be applied.
  • ‘Unforgivable vulnerabilities’ are trivial, repeat issues that indicate poor secure-development practices and should not appear in well-tested software.
  • The paper aims to drive discussion with vendors and encourage eradication of entire vulnerability classes, not just individual bugs.
  • Many of the 13 ‘unforgivable’ issues identified by MITRE in 2007 still persist; systemic changes to OSes, frameworks and developer practices are needed.
  • The NCSC points to complementary initiatives (CISA Secure by Design and the upcoming UK Code of Practice for Software Vendors) as mechanisms to make mitigations easier to implement at scale.

Context and relevance

This is important for cyber security professionals, software vendors and anyone responsible for secure development. The paper reframes a long-standing problem — trivial, repeatable vulnerabilities — as solvable through clearer assessment criteria and industry action. It connects technical guidance with policy levers (the voluntary Code of Practice) that could shift incentives away from speed-to-market and towards built-in security.

For organisations, the takeaways are practical: prioritise systemic mitigations, favour secure frameworks and platforms, and watch for forthcoming UK guidance that will help operationalise the Code of Practice.

Why should I read this?

Short answer: because this paper tells you which low-hanging security problems should never exist and gives a way to prove it. If you build, ship or manage software, reading it saves you time by pointing at concrete mitigations and the policy direction likely to affect procurement and vendor behaviour. It’s punchy, practical and aimed at getting vendors to stop repeating the same stupid mistakes.

Author / Tone

Written by Ollie N, Head of Vulnerability Management at NCSC. The piece is punchy and policy-minded — it’s a nudge (and a bit of a prod) to the software industry to take simple security fixes seriously.

Source

Source: https://www.ncsc.gov.uk/blog-post/eradicating-trivial-vulnerabilities-at-scale

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.