Light Dark
March 25, 2024 By Jennifer Gregory 3 min read
News

The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software.” The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages.

This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a goal of the Open-Source Software Security Initiative (OS3I), which recently released a new report.

What are memory-safe programming languages?

Memory bugs happen when a programmer writes code that causes an issue related to memory access. Common bugs happen with buffer overflows and dangling pointers. By using a memory-safe programming language such as Rust, Go, Java, Swift and Python, developers cannot create code that causes a memory bug because the language includes specific properties such as memory or type safety. When developers write code in non-memory safe languages such as C and C++, they can inadvertently write code that can cause memory access errors. Instead of catching the errors during compile time and runtime, as with memory-safe languages, the bugs make it into the final version and cause security issues.

While cybersecurity often focuses on reacting to threats, reducing risk starts by creating practices that reduce code errors that can create security issues. Google reported that 70% of severe security bugs are actually memory safety issues. Widely used programming languages such as C and C++ are often the culprit for many of the issues, especially due to pointer errors.

Using a memory-safe language significantly reduces or totally eliminates memory-safe vulnerabilities. This, in turn, reduces the cybersecurity risk of the final code. In addition to improved security, memory-safe languages also reduce crashes and allow developers to increase productivity because they do not need to focus on memory management issues.

ONCD report outlines two goals related to memory-safe languages

Reducing memory bugs is a complex issue that requires a multi-prong approach. The report focuses on getting organizations to focus on two specific areas related to memory-safe languages. Additionally, the government wants to focus on creating partnerships with the technical community, especially engineers and developers, to collaborate on making this key shift.

Here are the two main goals outlined in the fact sheet released with the report:

1. Reducing the attack surface in cyberspace

A smaller attack area means lower risk. Each line of code that creates vulnerabilities considerably expands the attack surface area. A single mistake that causes a memory-safe error can create a large number of vulnerabilities. The report recommends using a memory-safe programming language as one of the most effective ways of reducing the attack surface. With these languages, programmers cannot make the errors that lead to increasing the attack surface through memory bugs.

2. Anticipating systemic security risk

Many organizations are unable to accurately assess risk in their software because using metrics on constantly changing software is exceptionally challenging. While software measurability is a complex challenge, the shift starts by moving from being reactive to being proactive. By developing better diagnostics for cybersecurity quality, organizations can more accurately identify and proactively fix risks.

The reality of transitioning to memory-safe

While it’s easy to say organizations should use memory-safe languages, the reality is that this transition is complicated. Many software programs and libraries are based on non-safe memory-safe languages, and completely rewriting the entire codebase is often simply not feasible.

Starting a new project with a memory-safe programming language, whenever possible, is the simplest way to begin transitioning. Organizations can also reduce the attack surface without a total rewrite by rewriting only critical functions and libraries that are most at risk for memory-safe bugs, which often include areas with buffer overflows and dangling pointers. Some memory-safe languages, such as Rust and Swift, are interoperable with C and C++, making this approach feasible. When taking this approach organizations must integrate the build systems and build abstractions in the new language for shared objects and data.

However, making this transition requires the right developer resources. Organizations should start by evaluating their current developer team to determine what expertise the team currently holds in terms of memory-safe languages. The next step is training current developers as well as ensuring that new developers are skilled in memory-safe languages.

Moving forward with memory-safe programming languages

With the increased focus on cybersecurity, many organizations are realizing that the most important step is moving from a reactive to a proactive approach. By going back to the beginning and focusing on creating secure code, organizations can significantly reduce their risk. While it’s not a simple or quick process, the benefits of making this shift are meaningful and long-lasting.

 |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
July 23, 2024

Recent CrowdStrike outage: What you should know

3 min read - On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses. What caused this outage in Microsoft systems? The global outage of specific Microsoft-enabled systems and servers was isolated to…

July 22, 2024

White House mandates stricter cybersecurity for R&D institutions

2 min read - Federal cyber regulation is edging further into research and development (R&D) and higher education. A recent memo from the Office of Science and Technology Policy (OSTP) states that certain covered institutions will be required to implement cybersecurity programs for R&D security. These mandates will also apply to institutions of higher education that support R&D. Beyond strengthening the overall U.S. security posture, this move is also in direct response to growing threats posed by the People's Republic of China (PRC), as…

July 19, 2024

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature