NCSC Vendor Security Assessment V.B.5 Unsafe functions - not used in vendor's released code #646
Labels
Comments
|
I think the link there is incorrect. The right one is this |
|
I will see if I can find a contact point. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is language independent issue. In a nutshell UK NCSC require to have no "unsafe functions" in their code without providing a list of them. This is a prerequisite to deliver products into the UK market.
I believe that there is a high risk that misinterpretation can lead suppliers to return to "custom implementations" to avoid "unsafe functions" like what we had 20-30 years ago subsequently causing more un-tracked vulnerabilities.
The UK NCSC requires in V.B.5:
Security expectation: "There are no unsafe functions used within the vendor’s released code. Unsafe functions are those commonly associated with security vulnerabilities or those considered unsafe by industry best practice".
Why it matters: "These functions are frequently the cause of product vulnerabilities"
Evaluation, Security declaration: "The Security Declaration clearly states whether unsafe functions are used within the vendor’s code base."
Evaluation, customer or 3rd party spot checks: "Request code metrics on use of unsafe functions"
https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf
The text was updated successfully, but these errors were encountered: