The UK’s National Cyber Security Centre (NCSC) has launched a new initiative designed to enhance its understanding of vulnerability research and improve the sharing of best practices among the external cybersecurity community.
Announced yesterday, the Vulnerability Research Institute (VRI) will help the NCSC to better understand:
- Vulnerabilities present in specific products and technologies
- Mitigations needed to fix these vulnerabilities
- How researchers conduct their research
- What tools they use in their vulnerability research (VR)
The VRI is comprised of a core team of technical experts, relationship managers and project managers. Their job is to pass on requirements from the NCSC’s in-house vulnerability research team to its VRI industry partners, and then monitor the progress of any research.
“This successful way of working increases NCSC’s capacity to do VR and shares VR expertise across the UK’s VR ecosystem,” said the NCSC.
“As well as informing our advice and guidance as the National Technical Authority on cybersecurity, our research allows us to engage with technology vendors to encourage them to fix the bugs we find and build more secure products.”
Read more on vulnerability research: NCSC Urges Users to Patch Next.js Flaw Immediately
The NCSC warned that vulnerability research is getting harder given the rapid pace of technology innovation, but that it’s essential to build a body of expertise within the agency that can be used to shape its guidance for UK organizations.
The agency said that it wants to extend its outreach to industry experts in the future on topics such as the application of AI to vulnerability research.
It warned back in May that AI is likely to supercharge vulnerability research and exploit development (VRED) for threat actors over the next two years, making it increasingly important for network defenders to scale cybersecurity.
It’s a concern shared by researchers at ReliaQuest.
The NCSC has also called on the software industry to step up, by improving development processes to prioritize security by design. It wants to make “top-level” mitigations easier for vendors and developers to implement, thus eradicating a whole class of “unforgivable” vulnerabilities.
A paper launched at the start of this year is designed to help security researchers to assess if vulnerabilities are “forgivable” or “unforgivable,” in a bid to put pressure on the market.
No tags.
