White House Recommends Memory-Safe Programming Languages and Security-by-Design

We Keep you Connected

White House Recommends Memory-Safe Programming Languages and Security-by-Design

White House Recommends Memory-Safe Programming Languages and Security-by-Design
Your email has been sent
A new White House report focuses on securing computing at the root of cyber attacks — in this case, reducing the attack surface with memory-safe programming languages like Python, Java and C# and promoting the creation of standardized measurements for software security.
The report urges tech professionals to:
This report, titled Back to the Building Blocks: A Path Toward Secure and Measurable Software, is meant to convey to IT pros and business leaders some of the U.S. government’s priorities when it comes to securing hardware and software at the design phase. The report is a call to suggested action, with advice and loose guidelines.
“Even if every known vulnerability were to be fixed, the prevalence of undiscovered vulnerabilities across the software ecosystem would still present additional risk,” the report states. “A proactive approach that focuses on eliminating entire classes of vulnerabilities reduces the potential attack surface and results in more reliable code, less downtime and more predictable systems.”
Memory safety vulnerabilities have been around for more than 35 years, the report pointed out, with no one solution appearing. The report’s authors state there is no “silver bullet” solution for every cybersecurity problem, though using programming languages with memory safety built in may reduce large numbers of possible types of cyberattacks.
The ONCD points out that C and C++ are very popular programming languages used in critical systems but are not memory safe. Rust is a memory-safe programming language, but it has not been proven in the kind of aerospace systems the government particularly wants to secure.
Creators of software and hardware are the most relevant stakeholders to take charge of creating memory-safe hardware, the ONCD said. Those stakeholders could work on creating new products in memory-safe programming languages or rewriting critical functions or libraries.
Python, Java, C#, Go, Delphi/Object Pascal, Swift, Ruby, Rust and Ada are some memory-safe programming languages, according to an April 2023 NSA report.
The report states “it is critical to develop empirical metrics that measure the cybersecurity quality of software.” This is a more difficult effort than switching to memory-safe programming languages; after all, the challenges and benefits of creating overarching metrics or tools to measure and evaluate software security have been discussed for decades.
Developing metrics for measuring software security is difficult for three main reasons:
In order to overcome these challenges, ONCD notes that any metric developed to assess software safety would need to be monitored and open to change constantly, and software would need to be measured on a dynamic, not static, basis.
Gartner VP Analyst Paul Furtado told TechRepublic by email that, “Ultimately everything we can do to minimize the potential for a security incident is beneficial to the market.” He pointed out that companies may have a long way to go to reduce their attack surface using methods like those suggested in the ONCD report.
“Even within internally developed applications there is reliance on underlying code libraries. All these environments and applications have some level of tech debt,” Furtado said. “Until the tech debt is addressed across the entire chain, the underlying risk remains albeit you do start reducing the attack surface. The report provides a path forward for focusing on new development, but the reality is we will be many years away from addressing all the residual tech debt that can still leave organizations susceptible to being exploited.”
SEE: Prepare for the cybersecurity landscape of the future at the top tech events in 2024. (TechRepublic)
Some large tech organizations are already on board with the report’s recommendations.
“We believe adopting memory-safe languages presents an opportunity to improve software security and further protect critical infrastructure from cybersecurity threats,” said Juergen Mueller, Chief Technology Officer, SAP, in a statement to the ONCD.
“I commend the Office of the National Cyber Director for taking the important first step beyond high-level policy, translating these ideas into calls-to-action the technical and business communities can understand,” said Jeff Moss, president of DEFCON and Black Hat, in a statement to the ONCD. “I endorse the recommendation to adopt memory safe programming languages across the ecosystem because doing so can eliminate whole categories of vulnerabilities that we have been putting band-aids on for the past thirty years.”
The report notes that security is not only in the hands of the chief information security officer of a company using affected software; instead, chief information officers, who will take the lead in buying software, and chief technology officers at companies manufacturing software in particular should share the responsibility for cybersecurity efforts with each other and with the CISO.
These leaders should encourage cybersecurity in three major areas, the report said:
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
White House Recommends Memory-Safe Programming Languages and Security-by-Design
Your email has been sent
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE