惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
雷峰网
雷峰网
V
V2EX
博客园_首页
Engineering at Meta
Engineering at Meta
博客园 - 聂微东
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
H
Help Net Security
A
About on SuperTechFans
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
云风的 BLOG
云风的 BLOG
D
Docker
Security Archives - TechRepublic
Security Archives - TechRepublic
Help Net Security
Help Net Security
N
News and Events Feed by Topic
Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
A
Arctic Wolf
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
aimingoo的专栏
aimingoo的专栏
Hacker News: Ask HN
Hacker News: Ask HN
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 司徒正美
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy International News Feed
T
Troy Hunt's Blog
T
Tenable Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Recorded Future
Recorded Future
F
Fortinet All Blogs
D
DataBreaches.Net
B
Blog
T
Threat Research - Cisco Blogs
MyScale Blog
MyScale Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
The GitHub Blog
The GitHub Blog
Security Latest
Security Latest
M
MIT News - Artificial intelligence

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
NCSC and industry at odds over how to tackle shoddy software
Connor Jones Connor Jones · 2025-05-12 · via The Register - Security: CSO

CYBERUK Intervention is required to ensure the security market holds vendors to account for shipping insecure wares – imposing costs on those whose failures lead to cyberattacks and having to draft in cleanup crews. The security market must properly incentivize security vendors to do security better.

So, we have a non-functional market...

That is one of the prevailing messages dished out by the cyber arm of the British intelligence squad at GCHQ's National Cyber Security Centre (NCSC) in recent years at its annual conference. The cyber agency's CTO, Ollie Whitehouse, first pitched the idea during a keynote at last year's event, and once again it was a primary talking point of this week's CYBERUK, but not one that went down well with everyone.

Whitehouse said this week that "the market does not currently support and reward those companies that make that investment and build secure products." The risks introduced here are then shouldered by customers – companies, governments – rather than the vendors themselves.

"So, we have a non-functional market," he added.

"When we need to build an ecosystem that's capable of meeting this modern threat, we have to find ways where we can incentivize those vendors to be rewarded for their hard work, for those that go the extra mile, for those that build the secure technologies which our foundations are going to rely on in the future.

"Those that build secure technology make prosperous companies. They make celebrated companies, and they make successful companies ultimately. Because without that, nothing changes, and we repeat the last 40 years."

That's the NCSC's line – one that will most likely resonate with any organization popped by one of the myriad decades-old vulns vendors can't seem to stamp out. 

But there is a disconnect between the agency's message and the views of major players elsewhere in the industry. From first being pitched as a necessary play for a more cyber-secure ecosystem, now the agency's steadfast stance on the matter has become a question of whether or not to intervene.

During a panel discussion on the matter, top brass from Vodafone, Mandiant, Sage and the NCSC's counterparts in Canada, all contested the idea when asked about whether they agree that vendors maximize profits by ignoring security guidance. 

"It's hard to say yes to that," said Emma Smith, cybersecurity director at Vodafone.

"I'm with Emma," said Mandiant Consulting's EMEA managing director Stuart McKenzie. "I don't agree either."

"I will add to the list of no, I don't agree," added Bridget Walsh, associate head at the Canadian Center for Cybersecurity, while Sage's EVP chief risk officer Ben Aung laid claim to the panel's fence-sitter with a: "I wasn't going to agree, but I don't disagree."

McKenzie's take was that customers will ultimately drive vendor change. If they start prioritizing security, that's what vendors will give them. A string of cockups will quickly out those who don't provide value, and then it becomes a case of having to improve to survive.

[At least] the NCSC is not under attack by its overseeing government like its Stateside counterpart

He said: "I think there are only some products where I think maybe, you know, they're a little bit smoke and mirrors, but I think that's rare, and then it quickly becomes known in the market that they don't work. So, I don't agree. I think there's absolutely a market, and there is a return on investment for security and resilience."

Likewise, Walsh highlighted that cybersecurity failures are costly for organizations, alluding to the fact that victims of security snafus will certainly consider the ROI when deciding to renew, or not renew, certain vendor contracts.

Aung downplayed the idea of the need for improved incentives too, saying "there are certainly organizations out there who are cutting corners knowingly and putting their customers at risk knowingly. But, I think the vast majority are just grappling with [various external factors] and in an arms race at the same time. So I think it's a complex picture."

To reward or punish… or both

In Whitehouse's keynote last year, he pointed to the circa 14 percent increase in known, registered software vulnerabilities (not including those being amassed by nation states) and the decades-old bug classes that keep cropping up in widely used software.

He said there are also extremely high levels of tech debt in organizations and that should be punished, and that vendors should not be able to escape through their T&Cs.

These are all valid points. Customers can vote with their feet as the panel said, but when these issues pervade large portions of the market, with major vendors – not just the few bad apples Aung referenced – routinely having to fix so-called "unforgiveable" bugs like directory traversals, how can we not argue that intervention is required?

Whitehouse put forth the idea of perhaps punishing vendors that fall short of expectations, not just incentivizing them to do better, during last year's CYBERUK, and this was again put on the table this week, with his industry peers once more siding against the CTO's stance.

McKenzie said "he's not a fan" of the idea. In his view, it goes back to customers eventually abandoning sub-par vendors and, when speaking to The Register, he pointed to historical events that illustrate how the market itself will drive change.

"What we need is we need purchasers of security to prioritize the features and functionalities they want and then incentivize those organizations.

If you look at someone like CrowdStrike or Microsoft Defender, they did really well in that endpoint marketplace because they provided the most features...

"If you look at someone like CrowdStrike or Microsoft Defender, they did really well in that endpoint marketplace because they provided the most features. There are other things that weren't as good. They don't grow."

With the shift from antivirus to EDR, vendors that offer the best will perform the best, he argued. 

"I just don't think that the idea of forcing a market into incentives works because it moves so fast. The advice and guidance we can give can be terrible. I'm much keener on governments producing information on what the right logging sources are, what technologies work, what's the basic security you should have."

Offering a more sympathetic view, Walsh said it's a complex situation, one on which it is tough to take a hard line. Vendors must have a clearly codified set of expectations – what exactly is unforgivable – and that guidance should be set externally. System operators also often bear the brunt of cyber failures, so providing them with the right information to enter the procurement process with confidence is also key.

"There certainly is an incentivization to not do it wrong if you get a bad reputation but there are times when it's a little more subtle," she said. "So, I'll say it's a it's a pretty complex issue but to me the most important first step is making sure that we identify exactly what are those pieces that are so basic and if we communicate about those it is more difficult for people to get those wrong."

Like emissions safety officers for the auto market...

It's not like these expectations haven't been set, though. The NCSC's Cyber Essentials certification scheme is one example of an external authority setting out the expectations of both vendors and customers. A trustmark of sorts is there, but perhaps these standards must go further, raising the bar so vendors can either compete or fall by the wayside. 

Parallels can be drawn with the automotive industry. The European NCAP program was introduced in the late 1990s, providing customers an easy way to understand how different manufacturers were performing on safety.

Before that, we had the likes of Volvo scooping up swathes of market share off the back of its reputation for producing safe cars, or German and Japanese brands for their reliability.

Perhaps the same principles could apply to security vendors, all vying for stellar, market-shifting trustworthiness. And then it goes back to purchasers dictating which security vendors end up doing well.

How those principles are enacted or enforced is a question that remains open, however. The secure by design movement, for example, looked to be gathering a head of steam when CISA introduced its pledge last year. 

The agency, like many of its global equivalents, pushed for its adoption, but as Aung noted, "it's a shame that looks like it's in some flux at the moment."

He said: "For me, that's a great direction because real clarity and specificity on the controls and standards they're expected, a really strong policy narrative that the burden of security should be borne by vendors like Sage on behalf of organizations that may not have the capabilities and skills and resources to manage those risks. 

"So, [we] really bought into that message. And then a pledge that you could sign, I'm sure eventually we would have ways that we could validate or evidence that we were meeting the control standards that underpin secure by design."

Step up, insurers

Often given a bad rep primarily for the role they play in facilitating ransom payments, like it or not, cyber insurance firms hold a significant stake in the security space, and their unique insights into the root causes of attacks can help set the standards for vendors.

Despite these companies' mere existence giving criminals an incentive to target those who have cyber insurance policies, Vodafone's Emma Smith says the questions put to policyholders each year are often influenced by their threat intelligence gleaned from recent, successful, real-world incidents.

"We've got to think about what are the disruptive incentives and effects we can have on attackers as well as the way to make it easier for defenders and for organizations like all of ours. 

"I think insurers drive a baseline based on the questions that they ask of us all and the assurance that they put in place around our organization, so by default they're driving a baseline of security for organizations that think cyber insurance is important, which I think is probably most organizations these days."

Concurring, Walsh says the insurance industry has been around for decades and has a wealth of expertise in calculating costs and assessing risk. With that, it can potentially play a significant role in informing defenders where they should be assigning budget to protect against the most damaging attacks facing organizations today.

It's a matter that was met with agreement between industry and the NCSC – a panel first – with Whitehouse linking it to taking out professional indemnity insurance, which many organizations are used to doing. What's stopping cyber insurers from offering similar policies against those who ship insecure software?

"And there's a real question here: Is that a mark of goodness, if someone is willing to take insurance, will the insurers kind of ferret out the bad apples, as it were, in the supply base?" he asked. "So, there's potential opportunity."

You heard it here first

Whitehouse committed to taking on the challenge put to him and the NCSC to standardize the expectations of vendors on an international level.

Work is already underway here: the NCSC is working with international partners to define standards and ensure they're adopted by the relevant bodies, yet the feeling is that it will take time.

One of the agency's main launches from the event was its Software Security Code of Practice, a voluntary initiative which it pitched as an answer to Whitehouse's concerns from CYBERUK 2024 about a lack of market incentives.

The NCSC's mission here is to follow in the footsteps of its AI Cyber Security Code of Practice, launched in January, which sets standards for secure AI development and deployment. These standards are now ratified by ETSI, thus meaning compliance with them should, in theory, weed out the companies that aren't taking security in this space seriously.

We can hope that, like a certain other voluntary scheme, CISA's aforementioned secure by design pledge, this doesn't run the risk of entering a flux period, as Aung put it. However, given that the NCSC is not under attack by its overseeing government like its Stateside counterpart, plus its recent success with its AI code, the chance of a repeat is lower.

The NCSC's secure software code aims to provide vendors with the tangible evidence needed to demonstrate their commitment to security, by adhering to the code's minimum standards, which it aims to ratify with international bodies. From there, customers around the world can make more informed security choices, knowing that vendors have been formally assessed on their compliance.

Once standards are adopted by international bodies such as NIST, ENISA, and others, then they can be written into procurement contracts by the likes of governments and other organizations. 

The aim here is that these standards do exactly what the panel asked for – provide clarity on what's expected of vendors, the NCAP of secure software – so the Volvos of the tech industry start to face stiffer competition, raising cyber resilience across the world, and making life tougher for attackers.

Whitehouse said: "Some of you would have heard me say that... we know more that's in our sausages than our software, and that's probably not right for 2025, so the food labelling standards are coming to software soon. You heard it here first." ®