{"id":2602,"date":"2024-02-26T19:43:10","date_gmt":"2024-02-26T19:43:10","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=79439"},"modified":"2024-02-26T19:43:10","modified_gmt":"2024-02-26T19:43:10","slug":"oncd-releases-report-on-the-adoption-of-memory-safe-languages","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/02\/26\/oncd-releases-report-on-the-adoption-of-memory-safe-languages\/","title":{"rendered":"ONCD releases report on the adoption of memory-safe languages"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v21.7 (Yoast SEO v21.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>ONCD releases report on the adoption of memory-safe languages | CyberScoop<\/title> <meta name=\"description\" content=\"The effort is aimed at reducing one of the most common vulnerabilities that plague software.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/memory-safety-vulnerability-national-cyber-director\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"ONCD releases report on the adoption of memory-safe languages\"> <meta property=\"og:description\" content=\"The effort is aimed at reducing one of the most common vulnerabilities that plague software.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/memory-safety-vulnerability-national-cyber-director\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-02-26T19:43:10+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1308\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1706643139g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css,\/wp-content\/plugins\/embedpress\/Gutenberg\/dist\/blocks.style.build.css?m=1708535870\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/plugins\/embedpress\/assets\/css\/embedpress.css,\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1708725624\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=17ca7a1ec36db7d13744\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-10\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-includes\/css\/dashicons.min.css,\/wp-content\/plugins\/embedpress\/assets\/css\/plyr.css?m=1707697092\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/79439\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=79439\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmemory-safety-vulnerability-national-cyber-director%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmemory-safety-vulnerability-national-cyber-director%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-79439 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/memory-safety-vulnerability-national-cyber-director\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"23.025423728814\">\n<div class=\"single-article__header-content\" readability=\"27.764705882353\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/government\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> The effort is aimed at reducing one of the most common vulnerabilities that plague software. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"436\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages.jpg?resize=640%2C436&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=300,204 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=768,523 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=1024,698 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=1536,1046 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=600,409 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=247,168 247w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=495,337 495w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=991,675 991w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-2.jpg?resize=1237,843 1237w\" sizes=\"(max-width: 991px) 100vw, 991px\"><figcaption> The White House. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"31.815642458101\"><body readability=\"64.571521035599\"><\/p>\n<p>In its latest effort to move the cybersecurity burden from users to software and hardware makers, the White House issued a call-to-action Monday to get rid of one of the most common vulnerabilities by using memory safe programming languages.<\/p>\n<p>The Office of the National Cyber Director\u2019s new <a href=\"https:\/\/www.whitehouse.gov\/oncd\/briefing-room\/2024\/02\/26\/memory-safety-fact-sheet\/\">technical report<\/a> is aimed at reducing the number of memory safety vulnerabilities, offering a strategic guide to eliminate the bug as much as possible. The document also asks the research community to come up with better cybersecurity metrics by addressing software measurability.<\/p>\n<p>\u201cWe\u2019re doing this because available data on common vulnerabilities and exposures identify it as one of the most pervasive class of bugs for decades. It is clear that the creators of software and of hardware are best positioned to address this problem,\u201d National Cyber Director Harry Coker said during a call with reporters Monday. \u201cNot all programming languages are created equal, and some are inherently more unsafe.\u201d<\/p>\n<p>The announcement is the latest effort by the Biden administration to move responsibility from end-users and small organizations to those that have the resources to reduce cybersecurity risks, as outlined in the national cybersecurity strategy and subsequent implementation plan. Last year, ONCD released a <a href=\"https:\/\/www.federalregister.gov\/documents\/2023\/08\/10\/2023-17239\/request-for-information-on-open-source-software-security-areas-of-long-term-focus-and-prioritization\">request for information<\/a> about open-source security, including the adoption of memory safety languages.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Additionally, in December a coalition of U.S. and international security agencies <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-12\/The-Case-for-Memory-Safe-Roadmaps-508c.pdf\">released guidance<\/a> to switch to memory safe language like Rust where possible.<\/p>\n<p>But a shift of that kind is&nbsp; not an easy task. A senior ONCD official said during a call with reporters that depending on the size of the company, switching existing codebase into a memory-safe programming language can be a multi-decade effort.<\/p>\n<p>Even so, a report by Microsoft highlights the issue, particularly a finding that&nbsp; around <a href=\"https:\/\/msrc.microsoft.com\/blog\/2019\/07\/a-proactive-approach-to-more-secure-code\/\">70% of the bugs<\/a> assigned as a vulnerability is a memory safety issue. Such vulnerabilities have led to some of the most well-known hacks, such as the <a href=\"https:\/\/heartbleed.com\/\">Heartbleed bug<\/a>, Anjana Rajan, ONCD\u2019s assistant national cyber director for technology security, said in a statement.<\/p>\n<p>\u201cFor 35 years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn\u2019t have to be this way,\u201d Rajan said. \u201cThis report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume \u2014 and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the nation.\u201d<\/p>\n<p>Additionally, the <a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2024\/02\/Final-ONCD-Technical-Report.pdf\">report<\/a> calls on the development of \u201cempirical metrics that measure the cybersecurity quality of software.\u201d Calling it one of the \u201chardest open research problems,\u201d the report points to open-source software as an \u201cexcellent environment\u201d for applying software measurement.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The announcement was also accompanied by <a href=\"https:\/\/www.whitehouse.gov\/oncd\/briefing-room\/2024\/02\/26\/memory-safety-statements-of-support\/\">statements of support<\/a> for the report by a slew of industry representatives, academics, and experts.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.6193548387097\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/oncd-releases-report-on-the-adoption-of-memory-safe-languages-1.jpg?w=640&#038;ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&amp;E News at POLITICO covering cybersecurity in the energy sector. Reach out:&nbsp; christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/memory-safety-vulnerability-national-cyber-director\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ONCD releases report on the adoption of memory-safe languages |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[117,1130,521,1073,439],"tags":[119,1132,524,1076,443],"class_list":["post-2602","post","type-post","status-publish","format-standard","hentry","category-government","category-harry-coker","category-office-of-the-national-cyber-director","category-open-source","category-policy","tag-government","tag-harry-coker","tag-office-of-the-national-cyber-director","tag-open-source","tag-policy"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/harry-coker\/\" rel=\"category tag\">Harry Coker<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/office-of-the-national-cyber-director\/\" rel=\"category tag\">Office of the National Cyber Director<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a>","tag_info":"Policy","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2602"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2602\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}