March 25, 2024 By Jennifer Gregory 3 min read

The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software.” The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages.

This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a goal of the Open-Source Software Security Initiative (OS3I), which recently released a new report.

What are memory-safe programming languages?

Memory bugs happen when a programmer writes code that causes an issue related to memory access. Common bugs happen with buffer overflows and dangling pointers. By using a memory-safe programming language such as Rust, Go, Java, Swift and Python, developers cannot create code that causes a memory bug because the language includes specific properties such as memory or type safety. When developers write code in non-memory safe languages such as C and C++, they can inadvertently write code that can cause memory access errors. Instead of catching the errors during compile time and runtime, as with memory-safe languages, the bugs make it into the final version and cause security issues.

While cybersecurity often focuses on reacting to threats, reducing risk starts by creating practices that reduce code errors that can create security issues. Google reported that 70% of severe security bugs are actually memory safety issues. Widely used programming languages such as C and C++ are often the culprit for many of the issues, especially due to pointer errors.

Using a memory-safe language significantly reduces or totally eliminates memory-safe vulnerabilities. This, in turn, reduces the cybersecurity risk of the final code. In addition to improved security, memory-safe languages also reduce crashes and allow developers to increase productivity because they do not need to focus on memory management issues.

ONCD report outlines two goals related to memory-safe languages

Reducing memory bugs is a complex issue that requires a multi-prong approach. The report focuses on getting organizations to focus on two specific areas related to memory-safe languages. Additionally, the government wants to focus on creating partnerships with the technical community, especially engineers and developers, to collaborate on making this key shift.

Here are the two main goals outlined in the fact sheet released with the report:

1. Reducing the attack surface in cyberspace

A smaller attack area means lower risk. Each line of code that creates vulnerabilities considerably expands the attack surface area. A single mistake that causes a memory-safe error can create a large number of vulnerabilities. The report recommends using a memory-safe programming language as one of the most effective ways of reducing the attack surface. With these languages, programmers cannot make the errors that lead to increasing the attack surface through memory bugs.

2. Anticipating systemic security risk

Many organizations are unable to accurately assess risk in their software because using metrics on constantly changing software is exceptionally challenging. While software measurability is a complex challenge, the shift starts by moving from being reactive to being proactive. By developing better diagnostics for cybersecurity quality, organizations can more accurately identify and proactively fix risks.

The reality of transitioning to memory-safe

While it’s easy to say organizations should use memory-safe languages, the reality is that this transition is complicated. Many software programs and libraries are based on non-safe memory-safe languages, and completely rewriting the entire codebase is often simply not feasible.

Starting a new project with a memory-safe programming language, whenever possible, is the simplest way to begin transitioning. Organizations can also reduce the attack surface without a total rewrite by rewriting only critical functions and libraries that are most at risk for memory-safe bugs, which often include areas with buffer overflows and dangling pointers. Some memory-safe languages, such as Rust and Swift, are interoperable with C and C++, making this approach feasible. When taking this approach organizations must integrate the build systems and build abstractions in the new language for shared objects and data.

However, making this transition requires the right developer resources. Organizations should start by evaluating their current developer team to determine what expertise the team currently holds in terms of memory-safe languages. The next step is training current developers as well as ensuring that new developers are skilled in memory-safe languages.

Moving forward with memory-safe programming languages

With the increased focus on cybersecurity, many organizations are realizing that the most important step is moving from a reactive to a proactive approach. By going back to the beginning and focusing on creating secure code, organizations can significantly reduce their risk. While it’s not a simple or quick process, the benefits of making this shift are meaningful and long-lasting.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today