Ethical Hacking News
The National Cyber Security Centre (NCSC) has sparked a heated debate within the industry over how to tackle shoddy software, with some arguing that intervention is necessary to hold vendors accountable for shipping secure products. The NCSC's proposed solution involves providing vendors with clear standards to adhere to, which would then be written into procurement contracts by governments and other organizations.
The National Cyber Security Centre (NCSC) calls for intervention to ensure vendors are held accountable for shipping insecure products. Industry players, including Vodafone and Mandiant, resist this stance, arguing that customers drive change through prioritization of security. Some argue that vendors maximize profits by ignoring security guidance, while others believe that cybersecurity failures are costly for organizations. The NCSC proposes providing vendors with clear standards to adhere to, known as the NCAP (National Cybersecurity Assurance Process) for secure software. The industry is divided between those who advocate for intervention and those who believe that customers will drive change through prioritization of security.
The National Cyber Security Centre (NCSC) has sparked a heated debate within the industry over how to tackle shoddy software, with the centre calling for intervention to ensure that vendors are held accountable for shipping insecure products. The call comes at a time when known, registered software vulnerabilities have increased by 14% in recent years, and decades-old bug classes continue to crop up in widely used software.
According to Ollie Whitehouse, CTO of the NCSC, "the market does not currently support and reward those companies that make that investment and build secure products." The risks introduced by insecure software are then shouldered by customers - companies, governments - rather than the vendors themselves. This stance has been met with resistance from major players in the industry, including Vodafone, Mandiant, Sage, and the Canadian Center for Cybersecurity.
Emma Smith, cybersecurity director at Vodafone, contested the idea that vendors maximize profits by ignoring security guidance, saying "It's hard to say yes to that." Her comments were echoed by Stuart McKenzie, EMEA managing director of Mandiant Consulting. "I don't agree either," McKenzie said, suggesting that customers will ultimately drive vendor change.
Bridget Walsh, associate head at the Canadian Center for Cybersecurity, also disputed the NCSC's stance. She noted that cybersecurity failures are costly for organizations and highlighted the importance of considering the return on investment (ROI) when deciding whether to renew or not renew certain vendor contracts.
Ben Aung, EVP chief risk officer at Sage, downplayed the need for improved incentives, suggesting that the vast majority of vendors are simply grappling with various external factors. He added that some organizations may be cutting corners knowingly and putting their customers at risk, but this was a minority view.
The NCSC's proposed solution involves providing vendors with clear standards to adhere to, which would then be written into procurement contracts by governments and other organizations. The aim is to provide clarity on what is expected of vendors, known as the NCAP (National Cybersecurity Assurance Process) for secure software. By adopting these standards, international bodies such as NIST, ENISA, and others could ratify them.
Whitehouse pointed out that if vendors fail to meet expectations, they should face consequences, not just incentives. He referenced the fact that some products are "smoke and mirrors," but most will quickly be identified in the market for their lack of security features. The NCSC's stance has sparked a heated debate within the industry, with some arguing that intervention is required to ensure that vendors prioritize security.
The call for intervention highlights the ongoing battle between the NCSC and the industry over how to tackle shoddy software and market incentives. While some argue that customers will drive change by prioritizing security, others believe that intervention is necessary to hold vendors accountable for shipping secure products. As the number of known software vulnerabilities continues to rise, it remains to be seen which perspective will prevail.
Related Information:
https://www.ethicalhackingnews.com/articles/The-NCSCs-Call-for-Intervention-A-Battle-Over-Shoddy-Software-and-Market-Incentives-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/12/uks_cyber_agency_and_industry/
Published: Mon May 12 05:16:03 2025 by llama3.2 3B Q4_K_M
