A new White House report focuses on protecting computing at the root of cyberattacks; in this case, reducing the attack surface with memory-safe programming languages such as Python, Java, C# and promoting the creation of standardized measures for software security.
The report urges technology professionals to:
- Implement memory-safe programming languages.
- Develop and support new metrics to measure hardware security.
This report, titled Back to the Basics: A Path to Secure and Measurable Software, aims to convey to IT professionals and business leaders some of the US government's priorities when it comes to securing hardware and software. in the design phase. The report is a call to suggested action, with flexible advice and guidelines.
“Even if all known vulnerabilities were fixed, the prevalence of undiscovered vulnerabilities across the software ecosystem would still present additional risk,” the report states. “A proactive approach that focuses on eliminating entire classes of vulnerabilities reduces the potential attack surface and results in more reliable code, less downtime, and more predictable systems.”
Memory security vulnerabilities are a concern in programming languages
Memory security vulnerabilities have existed for more than 35 years, the report notes, with no solution emerging. The report's authors state that there is no silver bullet for all cybersecurity problems, although using programming languages with built-in memory safety can reduce a large number of potential types of cyber attacks.
ONCD notes that C and C++ are very popular programming languages used in critical systems but are not memory safe. Rust is a memory-safe programming language, but it has not been tested on the type of aerospace systems that the government particularly wants to protect.
Software and hardware creators are the most relevant stakeholders to take charge of creating memory-safe hardware, ONCD said. Those stakeholders could work on creating new products in memory-safe programming languages or rewriting critical functions or libraries.
What programming languages are memory safe?
Python, Java, C#, Go, Delphi/Object Pascal, Swift, Ruby, Rust, and Ada are some memory-safe programming languages, according to an April 2023 NSA report.
New metrics to measure software security
The report states that “it is critical to develop empirical metrics that measure the quality of software cybersecurity.” This is a more difficult endeavor than switching to memory-safe programming languages; After all, the challenges and benefits of creating general metrics or tools to measure and evaluate software security have been discussed for decades.
Developing metrics to measure software security is difficult for three main reasons:
- Software engineering can be both an art and a science, and most software is not uniform.
- Software behavior can be very unpredictable.
- Software development is advancing very quickly.
To overcome these challenges, ONCD notes that any metrics developed to evaluate software security should be constantly monitored and open to change, and software should be measured dynamically, not statically.
Industry response to report priorities
Gartner vice president analyst Paul Furtado told TechRepublic via email that “ultimately, anything we can do to minimize the potential for a security incident is beneficial to the market.” He noted that companies may have a long way to go to reduce their attack surface using methods like those suggested in the ONCD report.
“Even within internally developed applications there is a reliance on underlying code libraries. All of these environments and applications have some level of technology debt,” Furtado said. “Until tech debt is addressed across the chain, the underlying risk remains, even as the attack surface begins to shrink. “The report provides a way forward to focus on new developments, but the reality is that we will be many years away from addressing all the residual technology debt that may still leave organizations susceptible to exploitation.”
SEE: Prepare for the cybersecurity landscape of the future at the top tech events of 2024. (TechRepublic)
Some large technology organizations already agree with the report's recommendations.
“We believe that the adoption of memory-safe languages presents an opportunity to improve software security and further protect critical infrastructure from cybersecurity threats,” Juergen Mueller, SAP's chief technology officer, said in a statement to the ONCD.
“I congratulate the Office of the National Cyber Director for taking the important first step beyond high-level policy, translating these ideas into calls to action that the technical and business communities can understand,” said Jeff Moss, president of DEFCON and Black Hat. , in statements to the ONCD. “I support the recommendation to adopt memory-safe programming languages across the ecosystem because doing so can eliminate entire categories of vulnerabilities that we have been curing for the last thirty years.”
Conclusions for senior management on areas of interest for cybersecurity
The report notes that security is not just in the hands of the chief information security officer of a company that uses the affected software; Instead, CIOs, who will take the lead in purchasing software, and CTOs of companies that make software in particular should share responsibility for cybersecurity efforts with each other and with the CISO.
These leaders should promote cybersecurity in three main areas, according to the report:
- Software development – of greatest interest to CTOs and CIOs.
- Analysis of software products. – of greatest interest to CTOs and CIOs.
- A resilient execution environment – of greatest interest to CISOs.