Light Dark
March 25, 2024 By Jennifer Gregory 3 min read
News

The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software.” The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages.

This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a goal of the Open-Source Software Security Initiative (OS3I), which recently released a new report.

What are memory-safe programming languages?

Memory bugs happen when a programmer writes code that causes an issue related to memory access. Common bugs happen with buffer overflows and dangling pointers. By using a memory-safe programming language such as Rust, Go, Java, Swift and Python, developers cannot create code that causes a memory bug because the language includes specific properties such as memory or type safety. When developers write code in non-memory safe languages such as C and C++, they can inadvertently write code that can cause memory access errors. Instead of catching the errors during compile time and runtime, as with memory-safe languages, the bugs make it into the final version and cause security issues.

While cybersecurity often focuses on reacting to threats, reducing risk starts by creating practices that reduce code errors that can create security issues. Google reported that 70% of severe security bugs are actually memory safety issues. Widely used programming languages such as C and C++ are often the culprit for many of the issues, especially due to pointer errors.

Using a memory-safe language significantly reduces or totally eliminates memory-safe vulnerabilities. This, in turn, reduces the cybersecurity risk of the final code. In addition to improved security, memory-safe languages also reduce crashes and allow developers to increase productivity because they do not need to focus on memory management issues.

ONCD report outlines two goals related to memory-safe languages

Reducing memory bugs is a complex issue that requires a multi-prong approach. The report focuses on getting organizations to focus on two specific areas related to memory-safe languages. Additionally, the government wants to focus on creating partnerships with the technical community, especially engineers and developers, to collaborate on making this key shift.

Here are the two main goals outlined in the fact sheet released with the report:

1. Reducing the attack surface in cyberspace

A smaller attack area means lower risk. Each line of code that creates vulnerabilities considerably expands the attack surface area. A single mistake that causes a memory-safe error can create a large number of vulnerabilities. The report recommends using a memory-safe programming language as one of the most effective ways of reducing the attack surface. With these languages, programmers cannot make the errors that lead to increasing the attack surface through memory bugs.

2. Anticipating systemic security risk

Many organizations are unable to accurately assess risk in their software because using metrics on constantly changing software is exceptionally challenging. While software measurability is a complex challenge, the shift starts by moving from being reactive to being proactive. By developing better diagnostics for cybersecurity quality, organizations can more accurately identify and proactively fix risks.

The reality of transitioning to memory-safe

While it’s easy to say organizations should use memory-safe languages, the reality is that this transition is complicated. Many software programs and libraries are based on non-safe memory-safe languages, and completely rewriting the entire codebase is often simply not feasible.

Starting a new project with a memory-safe programming language, whenever possible, is the simplest way to begin transitioning. Organizations can also reduce the attack surface without a total rewrite by rewriting only critical functions and libraries that are most at risk for memory-safe bugs, which often include areas with buffer overflows and dangling pointers. Some memory-safe languages, such as Rust and Swift, are interoperable with C and C++, making this approach feasible. When taking this approach organizations must integrate the build systems and build abstractions in the new language for shared objects and data.

However, making this transition requires the right developer resources. Organizations should start by evaluating their current developer team to determine what expertise the team currently holds in terms of memory-safe languages. The next step is training current developers as well as ensuring that new developers are skilled in memory-safe languages.

Moving forward with memory-safe programming languages

With the increased focus on cybersecurity, many organizations are realizing that the most important step is moving from a reactive to a proactive approach. By going back to the beginning and focusing on creating secure code, organizations can significantly reduce their risk. While it’s not a simple or quick process, the benefits of making this shift are meaningful and long-lasting.

 |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

October 28, 2024

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

October 21, 2024

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature