{"id":2947,"date":"2024-04-05T09:00:00","date_gmt":"2024-04-05T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/white-house-call-for-memory-safety-brings-challenges-changes-costs"},"modified":"2024-04-05T09:00:00","modified_gmt":"2024-04-05T14:00:00","slug":"white-houses-call-for-memory-safety-brings-challenges-changes-costs","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/05\/white-houses-call-for-memory-safety-brings-challenges-changes-costs\/","title":{"rendered":"White House’s Call for Memory Safety Brings Challenges, Changes & Costs"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

The recent publication “<\/span>Back to the Building Blocks<\/a><\/span>: A Path Toward Secure and Measurable Software” by the White House Office of the National Cyber Director (ONCD) provides additional detail and strategic direction supporting the <\/span>National Cybersecurity Strategy<\/a><\/span> released in March 2023. The strategy intends to shift a much greater share of responsibility for cybersecurity to software vendors, service providers, and other entities that develop software applications. This latest report provides a more specific direction by emphasizing an aggressive shift to <\/span>memory-safe programming languages<\/a><\/span> with software development practices.<\/span><\/p>\n

The Memory Safety Imperative<\/h2>\n

Traditional programming languages are frequently the weak link in software development, with memory safety vulnerabilities leading to significant incidents. Despite comprehensive code reviews and other security measures, these vulnerabilities persist, accounting for up to 70% of security issues in these languages. A shift toward memory-safe programming languages, as advised by the Cybersecurity and Infrastructure Security Agency’s (CISA) road map, is a critical step toward developing software that is secure by design.<\/span><\/p>\n

Navigating Legacy System Complexities<\/h2>\n

One of the most daunting challenges in this strategic shift is addressing the legacy systems developed in C and C++. These legacy systems are not only numerous but often critical to the operations of many organizations. Rewriting these systems in modern, memory-safe languages can be expensive and complex, resulting in the downtime of critical business processes.<\/span><\/p>\n

Moreover, memory safety vulnerabilities are primarily observed at the operating system level, affecting significant platforms like Microsoft and Linux. This categorization of issues at the runtime level, rather than the application level, underscores the broader challenge in cybersecurity: the pursuit of advanced security measures must be balanced against the practicalities and costs of implementing these changes, especially for established systems.<\/span><\/p>\n

Economic and Technical Considerations<\/h2>\n

Many organizations face formidable costs associated with overhauling older systems. Changing coding protocols is not only a technical decision but also a strategic one to ensure the security of the digital infrastructure of the future. As a result, decision-makers considering when to undertake the transition must evaluate the immediate financial and operational impacts versus the long-term benefits.<\/span><\/p>\n

Fortunately, technological innovations have already been developed that can reduce the cost and disruption of transitioning to safer code. For instance, code analysis tools can analyze legacy applications and semi-autonomously identify instances where C or Python code runs without proper isolation. And because of recent advances in compiler technology, even worst-case unsafe coding practices can be protected if written in an older language. These developments should significantly lessen the barriers to adopting safe coding practices for organizations of any size.<\/span><\/p>\n

A Collaborative Effort Toward a Secure Future<\/h2>\n

Policymakers and vendors must collaborate closely to balance enhancing security with maintaining essential software services. Embracing memory-safe programming languages, as recommended by the ONCD, is a crucial step in this journey and is integral to advancing our collective cybersecurity. <\/span><\/p>\n

Several industry leaders have already made significant investments in memory-safe languages. Examples include: <\/span><\/p>\n

\n