White House Recommends Memory-Safe Programming Languages and Security-by-Design
A new White House report focuses on securing computing at the root of cyber attacks — in this case, reducing the attack surface with memory-safe programming languages like Python, Java and C# and promoting the creation of standardized measurements for software security.
The report urges tech professionals to:
- Implement memory-safe programming languages.
- Develop and support new metrics for measuring hardware security.
This report, titled Back to the Building Blocks: A Path Toward Secure and Measurable Software, is meant to convey to IT pros and business leaders some of the U.S. government’s priorities when it comes to securing hardware and software at the design phase. The report is a call to suggested action, with advice and loose guidelines.
“Even if every known vulnerability were to be fixed, the prevalence of undiscovered vulnerabilities across the software ecosystem would still present additional risk,” the report states. “A proactive approach that focuses on eliminating entire classes of vulnerabilities reduces the potential attack surface and results in more reliable code, less downtime and more predictable systems.”
Memory safety vulnerabilities a concern in programming languages
Memory safety vulnerabilities have been around for more than 35 years, the report pointed out, with no one solution appearing. The report’s authors state there is no “silver bullet” solution for every cybersecurity problem, though using programming languages with memory safety built in may reduce large numbers of possible types of cyberattacks.
The ONCD points out that C and C++ are very popular programming languages used in critical systems but are not memory safe. Rust is a memory-safe programming language, but it has not been proven in the kind of aerospace systems the government particularly wants to secure.
Creators of software and hardware are the most relevant stakeholders to take charge of creating memory-safe hardware, the ONCD said. Those stakeholders could work on creating new products in memory-safe programming languages or rewriting critical functions or libraries.
What programming languages are memory safe?
Python, Java, C#, Go, Delphi/Object Pascal, Swift, Ruby, Rust and Ada are some memory-safe programming languages, according to an April 2023 NSA report.
New metrics for measuring software security
The report states “it is critical to develop empirical metrics that measure the cybersecurity quality of software.” This is a more difficult effort than switching to memory-safe programming languages; after all, the challenges and benefits of creating overarching metrics or tools to measure and evaluate software security have been discussed for decades.
Developing metrics for measuring software security is difficult for three main reasons:
- Software engineering can be an art as well as a science, and most software is not uniform.
- Software behavior may be very unpredictable.
- Software development is very fast moving.
In order to overcome these challenges, ONCD notes that any metric developed to assess software safety would need to be monitored and open to change constantly, and software would need to be measured on a dynamic, not static, basis.
Industry response to the report’s priorities
Gartner VP Analyst Paul Furtado told TechRepublic by email that, “Ultimately everything we can do to minimize the potential for a security incident is beneficial to the market.” He pointed out that companies may have a long way to go to reduce their attack surface using methods like those suggested in the ONCD report.
“Even within internally developed applications there is reliance on underlying code libraries. All these environments and applications have some level of tech debt,” Furtado said. “Until the tech debt is addressed across the entire chain, the underlying risk remains albeit you do start reducing the attack surface. The report provides a path forward for focusing on new development, but the reality is we will be many years away from addressing all the residual tech debt that can still leave organizations susceptible to being exploited.”
SEE: Prepare for the cybersecurity landscape of the future at the top tech events in 2024. (TechRepublic)
Some large tech organizations are already on board with the report’s recommendations.
“We believe adopting memory-safe languages presents an opportunity to improve software security and further protect critical infrastructure from cybersecurity threats,” said Juergen Mueller, Chief Technology Officer, SAP, in a statement to the ONCD.
“I commend the Office of the National Cyber Director for taking the important first step beyond high-level policy, translating these ideas into calls-to-action the technical and business communities can understand,” said Jeff Moss, president of DEFCON and Black Hat, in a statement to the ONCD. “I endorse the recommendation to adopt memory safe programming languages across the ecosystem because doing so can eliminate whole categories of vulnerabilities that we have been putting band-aids on for the past thirty years.”
Takeaways for the C-suite on focus areas for cybersecurity
The report notes that security is not only in the hands of the chief information security officer of a company using affected software; instead, chief information officers, who will take the lead in buying software, and chief technology officers at companies manufacturing software in particular should share the responsibility for cybersecurity efforts with each other and with the CISO.
These leaders should encourage cybersecurity in three major areas, the report said:
- Software development — of most interest to CTOs and CIOs.
- The analysis of software products — of most interest to CTOs and CIOs.
- A resilient execution environment — of most interest to CISOs.
About Author
