COMMENTARY
The recent publication “Back to the Building Blocks: A Path Toward Secure and Measurable Software” by the White House Office of the National Cyber Director (ONCD) provides additional detail and strategic direction supporting the National Cybersecurity Strategy released in March 2023. The strategy intends to shift a much greater share of responsibility for cybersecurity to software vendors, service providers, and other entities that develop software applications. This latest report provides a more specific direction by emphasizing an aggressive shift to memory-safe programming languages with software development practices.
The Memory Safety Imperative
Traditional programming languages are frequently the weak link in software development, with memory safety vulnerabilities leading to significant incidents. Despite comprehensive code reviews and other security measures, these vulnerabilities persist, accounting for up to 70% of security issues in these languages. A shift toward memory-safe programming languages, as advised by the Cybersecurity and Infrastructure Security Agency’s (CISA) road map, is a critical step toward developing software that is secure by design.
Navigating Legacy System Complexities
One of the most daunting challenges in this strategic shift is addressing the legacy systems developed in C and C++. These legacy systems are not only numerous but often critical to the operations of many organizations. Rewriting these systems in modern, memory-safe languages can be expensive and complex, resulting in the downtime of critical business processes.
Moreover, memory safety vulnerabilities are primarily observed at the operating system level, affecting significant platforms like Microsoft and Linux. This categorization of issues at the runtime level, rather than the application level, underscores the broader challenge in cybersecurity: the pursuit of advanced security measures must be balanced against the practicalities and costs of implementing these changes, especially for established systems.
Economic and Technical Considerations
Many organizations face formidable costs associated with overhauling older systems. Changing coding protocols is not only a technical decision but also a strategic one to ensure the security of the digital infrastructure of the future. As a result, decision-makers considering when to undertake the transition must evaluate the immediate financial and operational impacts versus the long-term benefits.
Fortunately, technological innovations have already been developed that can reduce the cost and disruption of transitioning to safer code. For instance, code analysis tools can analyze legacy applications and semi-autonomously identify instances where C or Python code runs without proper isolation. And because of recent advances in compiler technology, even worst-case unsafe coding practices can be protected if written in an older language. These developments should significantly lessen the barriers to adopting safe coding practices for organizations of any size.
A Collaborative Effort Toward a Secure Future
Policymakers and vendors must collaborate closely to balance enhancing security with maintaining essential software services. Embracing memory-safe programming languages, as recommended by the ONCD, is a crucial step in this journey and is integral to advancing our collective cybersecurity.
Several industry leaders have already made significant investments in memory-safe languages. Examples include:
-
Mozilla’s Rust programming language: With its emphasis on memory safety, Rust offers a solid alternative to traditional programming languages that marries security and performance.
-
Microsoft’s investment in Rust: Recognizing that older languages have limitations, Microsoft has embraced Rust and used it in several new projects where memory safety was a concern.
-
Google’s memory safety efforts: Google has invested considerable resources into finding and mitigating memory safety vulnerabilities and has called for using memory-safe languages in new developments. Last week, Google released a new research report, “Secure by Design: Google’s Perspective on Memory Safety,” advocating for a secure-by-design strategy. The report focuses on adopting languages with robust memory safety features and acknowledges the limitations of evolving C++ to meet these standards.
Moving Forward: Practical Steps to Meet the ONCD Recommendations
The path in the latest ONCD report is challenging, but rich with opportunity. It demands practical steps from all actors within the software development and cybersecurity ecosystems, including:
-
Education and training: Organizations must commit to teaching their teams about memory-safe languages and secure development practices, ensuring that developers can make the necessary changes.
-
Gradual transition plans: Organizations should create plans for transitioning legacy systems to memory-safe and manageable languages. They should address the most critical areas first and phase the project slowly to minimize operational disruption.
-
Leveraging automation tools: Organizations should use modern code analysis tools and compilers that automatically find and remediate unsafe code practices while reducing the burden of manual processes.
-
Policy and governance: Organizations must develop explicit governance constructs that bake in memory safety and secure development practices throughout the software development lifecycle.
-
Community and collaboration: Importantly, organizations should reach outside their walls and the broader tech community in forums, partnerships, and open source projects to share the knowledge, challenges, and solutions around memory safety that come with this journey.
Improving security in the applications that drive the digital economy is a lofty and complex but necessary undertaking requiring ongoing collaboration between the public and private sectors. The ONCD’s latest report is a solid next step in articulating the strategy; however, more will is needed to realize the vision. Transitioning to memory-safe coding languages for new applications and updating legacy code are enormous challenges. However, progress is being made with recent advancements in software analysis and compiler technologies and commitments demonstrated by many global technology leaders.
