The White House Office of the National Cyber Director (ONCD) is calling on technology leaders to work together to reduce the software attack surface by adopting memory safe programming languages.
Memory safety bugs are one of the most prevalent security issues over the last few decades, according to a report published by the office. These bugs affect how memory can be accessed, written, allocated, or deallocated. Popular examples of memory safety bugs include Morris Worm, Slammer Worm, Heartbleed, and BLASTPASS.
According to the ONCD, the best way to combat memory safety vulnerabilities is to secure the programming languages that are being used. Memory safe programming languages — such as Rust, Go, C#, Java, Swift, Python, and JavaScript — can eliminate most of these vulnerabilities.
RELATED CONTENT: What the National Cybersecurity Strategy means for software providers
“Since many cybersecurity issues start with a line of code, one of the most effective ways to address those issues is by examining the programming language itself. Ensuring that a programming language includes certain properties, such as memory or type safety, means software built upon that foundation automatically inherits the security those features provide,” the report states.
The ONCD is also asking technology providers to explore memory safe hardware, and it believes there are several promising developments in this area. For example, a new memory-tagging extension that cross-checks the validity of pointers to memory before using them has been developed. Another example is Capability Hardware Enhanced RISC Instructions (CHERI), which changes how software accesses memory.
In addition to recommending memory safe software and hardware, another element of the report is calling for the development of better ways to measure the security of software. The ONCD believes that having better measurability capabilities will enable technology providers to anticipate and mitigate vulnerabilities before they enter production.
“Better cybersecurity quality metrics change the equation because they will enable data-informed decision-making across the supply chain. While the technical executives, like the CTO, CIO, and CISO, play a defining role in executing this vision, cybersecurity quality must also be seen as a business imperative for which the CEO and the board of directors are ultimately accountable. Addressing the software measurability problem would fully realize this metric’s utility, closing a vital information gap and incentivizing long-term investments in software security. This would allow all ecosystem stakeholders to see their return on investment or clearly understand the risk of a lower quality product,” the report stated.
This is just another step in the White House’s efforts to improve cybersecurity. In March 2023, President Biden signed an executive order related to cybersecurity, and since then has created the National Cybersecurity Strategy Implementation Plan and the National Cyber Workforce and Education Strategy.