Light Dark
March 25, 2024 By Jennifer Gregory 3 min read
News

The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software.” The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages.

This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a goal of the Open-Source Software Security Initiative (OS3I), which recently released a new report.

What are memory-safe programming languages?

Memory bugs happen when a programmer writes code that causes an issue related to memory access. Common bugs happen with buffer overflows and dangling pointers. By using a memory-safe programming language such as Rust, Go, Java, Swift and Python, developers cannot create code that causes a memory bug because the language includes specific properties such as memory or type safety. When developers write code in non-memory safe languages such as C and C++, they can inadvertently write code that can cause memory access errors. Instead of catching the errors during compile time and runtime, as with memory-safe languages, the bugs make it into the final version and cause security issues.

While cybersecurity often focuses on reacting to threats, reducing risk starts by creating practices that reduce code errors that can create security issues. Google reported that 70% of severe security bugs are actually memory safety issues. Widely used programming languages such as C and C++ are often the culprit for many of the issues, especially due to pointer errors.

Using a memory-safe language significantly reduces or totally eliminates memory-safe vulnerabilities. This, in turn, reduces the cybersecurity risk of the final code. In addition to improved security, memory-safe languages also reduce crashes and allow developers to increase productivity because they do not need to focus on memory management issues.

ONCD report outlines two goals related to memory-safe languages

Reducing memory bugs is a complex issue that requires a multi-prong approach. The report focuses on getting organizations to focus on two specific areas related to memory-safe languages. Additionally, the government wants to focus on creating partnerships with the technical community, especially engineers and developers, to collaborate on making this key shift.

Here are the two main goals outlined in the fact sheet released with the report:

1. Reducing the attack surface in cyberspace

A smaller attack area means lower risk. Each line of code that creates vulnerabilities considerably expands the attack surface area. A single mistake that causes a memory-safe error can create a large number of vulnerabilities. The report recommends using a memory-safe programming language as one of the most effective ways of reducing the attack surface. With these languages, programmers cannot make the errors that lead to increasing the attack surface through memory bugs.

2. Anticipating systemic security risk

Many organizations are unable to accurately assess risk in their software because using metrics on constantly changing software is exceptionally challenging. While software measurability is a complex challenge, the shift starts by moving from being reactive to being proactive. By developing better diagnostics for cybersecurity quality, organizations can more accurately identify and proactively fix risks.

The reality of transitioning to memory-safe

While it’s easy to say organizations should use memory-safe languages, the reality is that this transition is complicated. Many software programs and libraries are based on non-safe memory-safe languages, and completely rewriting the entire codebase is often simply not feasible.

Starting a new project with a memory-safe programming language, whenever possible, is the simplest way to begin transitioning. Organizations can also reduce the attack surface without a total rewrite by rewriting only critical functions and libraries that are most at risk for memory-safe bugs, which often include areas with buffer overflows and dangling pointers. Some memory-safe languages, such as Rust and Swift, are interoperable with C and C++, making this approach feasible. When taking this approach organizations must integrate the build systems and build abstractions in the new language for shared objects and data.

However, making this transition requires the right developer resources. Organizations should start by evaluating their current developer team to determine what expertise the team currently holds in terms of memory-safe languages. The next step is training current developers as well as ensuring that new developers are skilled in memory-safe languages.

Moving forward with memory-safe programming languages

With the increased focus on cybersecurity, many organizations are realizing that the most important step is moving from a reactive to a proactive approach. By going back to the beginning and focusing on creating secure code, organizations can significantly reduce their risk. While it’s not a simple or quick process, the benefits of making this shift are meaningful and long-lasting.

 |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
May 8, 2024

Change Healthcare attack expected to exceed $1 billion in costs

3 min read - The impact of the recent Change Healthcare cyberattack is unprecedented — and so are the costs. Rick Pollack, President and CEO of the American Hospital Association, stated, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.”In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1 billion…

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

April 29, 2024

The major hardware flaw in Apple M-series chips

3 min read - The “need for speed” is having a negative impact on many Mac users right now. The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP). DMP’s benefits and vulnerabilities DMP predicts memory addresses that the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature