U.S. government expands role in software security

The Biden administration continues to push for closer public-private partnerships to harden US information-technology infrastructure, calling on companies to shift to memory-safe programming languages and calling on the technical and academic communities to create better ways of measuring software security. 

This week, the White House Office of the National Cyber Director (ONCD) released a report written for developers and engineers, arguing that the nation needs to create a new balance of responsibilities for defending cyberspace and better incentives for companies to invest in the cybersecurity of their products.

As initial steps, the ONCD called on technology manufacturers to shift to memory-safe programming languages — such as Python, Java, and Rust — which can eliminate up to 70% of the vulnerabilities, and to develop better ways of measuring the security of their products.

The current ecosystem places too much burden on the people least able to afford the costs needed to secure critical infrastructure and systems against attackers, National Cyber Director Harry Coker said in a video statement. 

“Today, end users of technology — whether individuals, small businesses, or critical infrastructure owners and operators — bear too much of the responsibility for keeping our nation secure,” he said. “A system that can be brought down by a few keystrokes needs better building blocks, a stronger foundation. We need to expect more of those most capable and best positioned to defend cyberspace, and that includes the federal government.”

Leaning into Cybersecurity

The Biden administration has leaned into efforts to improve the cybersecurity of the nation’s infrastructure, the vast majority of which is privately owned. A year ago, the administration released its National Cybersecurity Strategy calling for software liability and minimum cybersecurity requirements for the critical-infrastructure sector. The administration has also kept up a dialog with software makers and the open-source development community to find better ways to collaborate to push forward software security. 

The latest report, Back to the Building Blocks: A Path Toward Secure and Measurable Software, shows that the government sees a long-term role in overseeing software security.

The efforts will likely work to convince many private-sector organizations to shift to memory-safe languages and away from C, C++, and machine code, says Clar Rosso, CEO of the cybersecurity education and certification group ISC2.

“Organizations will become more secure if we are able to step away from the reactive approach to cybersecurity and put a concerted effort behind shifting left,” she says. “However, none of this will be possible without collaboration between the public and private sectors — we need collective action if we’re going to chart a path toward secure and measurable software.”

Unsafe at Any Speed

Memory safety is a set of features of modern programming languages that prevents programs from attempting to access memory outside of expected bounds and accessing variables after their memory has been freed up by the program. By placing spatial and temporal limitations on software, memory-safe programming languages can eliminate entire classes of vulnerabilities that have previously led to major cyber events, such as the Slammer worm of 2003 and the Heartbleed vulnerability in 2014.

To read the complete article, visit Dark Reading.