COMMENT
The recent publication”Let’s go back to building bricks: A Path Toward Secure and Measurable Software” from the White House Office of the National Cyber Director (ONCD) provides additional details and strategic guidance to support the National Cyber Security Strategy published in March 2023. The strategy intends to transfer a much greater share of responsibility for cybersecurity to software vendors, service providers and other entities that develop software applications. This latest report provides a more specific direction, emphasizing an aggressive shift towards memory-safe programming languages with software development practices.
The imperative of memory security
Traditional programming languages are often the weak link in software development, with memory safety vulnerabilities leading to significant incidents. Despite extensive code reviews and other security measures, these vulnerabilities persist, accounting for up to 70% of security issues in these languages. A shift toward memory-safe programming languages, as suggested by the Cybersecurity and Infrastructure Security Agency (CISA) road map, is a critical step toward developing software that is secure by design.
Navigating the complexities of legacy systems
One of the most daunting challenges in this strategic shift is dealing with legacy systems developed in C and C++. These legacy systems are not only numerous but are often critical to the operations of many organizations. Rewriting these systems in modern, memory-safe languages can be expensive and complex, resulting in downtime of critical business processes.
Furthermore, memory security vulnerabilities are primarily observed at the operating system level, affecting significant platforms such as Microsoft and Linux. This categorization of issues at the runtime level, rather than the application level, highlights the broader challenge of cybersecurity: the pursuit of advanced security measures must be balanced with the practicalities and costs of implementing these changes, especially for systems consolidated.
Economic and technical considerations
Many organizations face enormous costs associated with overhauling older systems. Changing encryption protocols is not only a technical but also a strategic decision to ensure the security of the digital infrastructure of the future. As a result, decision makers considering when to make the transition must weigh the immediate financial and operational impacts against the long-term benefits.
Fortunately, technological innovations have already been developed that can reduce the costs and disruption of the transition to more secure codes. For example, code analysis tools can analyze legacy applications and semi-autonomously identify instances where C or Python code is running without adequate isolation. And thanks to recent advances in compiler technology, even worst-case unsafe coding practices can be protected when written in an older language. These developments should significantly reduce barriers to adopting secure coding practices for organizations of all sizes.
A collaborative effort towards a secure future
Policymakers and vendors must work closely together to balance improving security with maintaining essential software services. The adoption of memory-safe programming languages, as recommended by the ONCD, is a crucial step in this journey and is integral to the advancement of our collective cybersecurity.
Several industry leaders have already made significant investments in memory-safe languages. Examples included:
-
Mozilla’s Rust programming language: With its emphasis on memory safety, Rust offers a solid alternative to traditional programming languages that combines safety and performance.
-
Microsoft’s investment in Rust: Recognizing that older languages have limitations, Microsoft embraced Rust and used it in several new projects where memory safety was an issue.
-
Google’s Memory Security Efforts: Google has invested significant resources in identifying and mitigating memory security vulnerabilities and has required the use of memory-safe languages in new developments. Last week, Google released a new research report, “Secure by Design: Google’s Perspective on Memory Safety,” making the case for a secure-by-design strategy. The report focuses on the adoption of languages with robust memory safety features and recognizes the limitations of evolving C++ to meet these standards.
Moving forward: Practical steps to meet ONCD recommendations
The path outlined in the latest ONCD report is challenging, but full of opportunities. It requires concrete steps from all players within the software development and cybersecurity ecosystems, including:
-
Education and training: Organizations must commit to teaching their teams memory-safe languages and safe development practices, ensuring that developers can make the necessary changes.
-
Phased transition plans: Organizations should create plans to transition legacy systems to maintainable, memory-safe languages. They should address the most critical areas first and gradually initiate the project to minimize operational disruptions.
-
Leverage automation tools: Organizations should use modern code analysis tools and compilers that automatically identify and resolve unsafe coding practices while reducing the burden of manual processes.
-
Politics and governance: Organizations must develop explicit governance constructs that ensure memory safety and protect development practices throughout the software development lifecycle.
-
Community and collaboration: Importantly, organizations should reach outside their walls and the broader technology community in forums, partnerships, and open source projects to share the memory security insights, challenges, and solutions that arise from this journey.
Improve security in applications that drive the digital economy is a noble and complex but necessary undertaking that requires ongoing collaboration between the public and private sectors. The ONCD’s latest report represents a solid next step in articulating the strategy; however, more will is needed to realize the vision. Transitioning to memory-safe coding languages for new applications and updating legacy code present enormous challenges. However, progress is being made thanks to recent advances in software analytics and compiler technologies and the commitment demonstrated by many global technology leaders.