White House's Call for Memory Safety Brings Challenges, Changes & Costs

COMMENTARY

The recent publication "Back to the Building Blocks: A Path Toward Secure and Measurable Software" by the White House Office of the National Cyber Director (ONCD) provides additional detail and strategic direction supporting the National Cybersecurity Strategy released in March 2023. The strategy intends to shift a much greater share of responsibility for cybersecurity to software vendors, service providers, and other entities that develop software applications. This latest report provides a more specific direction by emphasizing an aggressive shift to memory-safe programming languages with software development practices.

The Memory Safety Imperative

Traditional programming languages are frequently the weak link in software development, with memory safety vulnerabilities leading to significant incidents. Despite comprehensive code reviews and other security measures, these vulnerabilities persist, accounting for up to 70% of security issues in these languages. A shift toward memory-safe programming languages, as advised by the Cybersecurity and Infrastructure Security Agency's (CISA) road map, is a critical step toward developing software that is secure by design.

Navigating Legacy System Complexities

One of the most daunting challenges in this strategic shift is addressing the legacy systems developed in C and C++. These legacy systems are not only numerous but often critical to the operations of many organizations. Rewriting these systems in modern, memory-safe languages can be expensive and complex, resulting in the downtime of critical business processes.

Moreover, memory safety vulnerabilities are primarily observed at the operating system level, affecting significant platforms like Microsoft and Linux. This categorization of issues at the runtime level, rather than the application level, underscores the broader challenge in cybersecurity: the pursuit of advanced security measures must be balanced against the practicalities and costs of implementing these changes, especially for established systems.

Economic and Technical Considerations

Many organizations face formidable costs associated with overhauling older systems. Changing coding protocols is not only a technical decision but also a strategic one to ensure the security of the digital infrastructure of the future. As a result, decision-makers considering when to undertake the transition must evaluate the immediate financial and operational impacts versus the long-term benefits.

Fortunately, technological innovations have already been developed that can reduce the cost and disruption of transitioning to safer code. For instance, code analysis tools can analyze legacy applications and semi-autonomously identify instances where C or Python code runs without proper isolation. And because of recent advances in compiler technology, even worst-case unsafe coding practices can be protected if written in an older language. These developments should significantly lessen the barriers to adopting safe coding practices for organizations of any size.

A Collaborative Effort Toward a Secure Future

Policymakers and vendors must collaborate closely to balance enhancing security with maintaining essential software services. Embracing memory-safe programming languages, as recommended by the ONCD, is a crucial step in this journey and is integral to advancing our collective cybersecurity. 

Several industry leaders have already made significant investments in memory-safe languages. Examples include: 

Moving Forward: Practical Steps to Meet the ONCD Recommendations

The path in the latest ONCD report is challenging, but rich with opportunity. It demands practical steps from all actors within the software development and cybersecurity ecosystems, including:

Improving security in the applications that drive the digital economy is a lofty and complex but necessary undertaking requiring ongoing collaboration between the public and private sectors. The ONCD's latest report is a solid next step in articulating the strategy; however, more will is needed to realize the vision. Transitioning to memory-safe coding languages for new applications and updating legacy code are enormous challenges. However, progress is being made with recent advancements in software analysis and compiler technologies and commitments demonstrated by many global technology leaders.