search

ossf / wg-best-practices-os-developers

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
https://openssf.org
Apache License 2.0
772 stars 133 forks source link

NCSC Vendor Security Assessment V.B.5 Unsafe functions - not used in vendor's released code #646

Open myteron opened 1 month ago

myteron commented 1 month ago

This is language independent issue. In a nutshell UK NCSC require to have no "unsafe functions" in their code without providing a list of them. This is a prerequisite to deliver products into the UK market.

I believe that there is a high risk that misinterpretation can lead suppliers to return to "custom implementations" to avoid "unsafe functions" like what we had 20-30 years ago subsequently causing more un-tracked vulnerabilities.

The UK NCSC requires in V.B.5:

Security expectation: "There are no unsafe functions used within the vendor’s released code. Unsafe functions are those commonly associated with security vulnerabilities or those considered unsafe by industry best practice".

Why it matters: "These functions are frequently the cause of product vulnerabilities"

Evaluation, Security declaration: "The Security Declaration clearly states whether unsafe functions are used within the vendor’s code base."

Evaluation, customer or 3rd party spot checks: "Request code metrics on use of unsafe functions"

https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf

jussiauvinen commented 1 month ago

I think the link there is incorrect. The right one is this

torgo commented 1 week ago

I will see if I can find a contact point.