White House recommends everyone moves to Memory Safe Programming by design

0 12

By Matthew Griffin Security and Privacy 20th May 2024

WHY THIS MATTERS IN BRIEF

By using memory safe programming languages companies could see a huge drop in the number of successful cyber attacks.

Love the Exponential Future? Join our XPotential Community, future proof yourself with courses from XPotential University, read about exponential tech and trends, connect, watch a keynote, or browse my blog.

A new White House report emphasizes the importance of adopting memory-safe programming languages and establishing software safety standards to prevent cyberattacks. Titled “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” the report focuses on reducing the attack surface by encouraging the use of memory-safe languages such as Python, Java, and C#, and promoting the development of standardized measurements for software security.

World's spies finally get the bug on a wall cam they've been chasing for so long

The report calls on tech professionals to implement memory-safe programming languages and develop new metrics for measuring hardware security. It aims to communicate the US government’s priorities for securing hardware and software at the design phase, offering advice and loose guidelines for IT professionals and business leaders.

“Even if every known vulnerability were to be fixed, the prevalence of undiscovered vulnerabilities across the software ecosystem would still present additional risk,” the report states. “A proactive approach that focuses on eliminating entire classes of vulnerabilities reduces the potential attack surface and results in more reliable code, less downtime, and more predictable systems.”

Memory safety vulnerabilities have been a persistent issue in programming languages for over 35 years, with no single solution emerging. The report highlights that while no “silver bullet” exists for every cybersecurity problem, using memory-safe programming languages can significantly reduce the types of cyberattacks possible. The Office of the National Cyber Director (ONCD) points out that popular languages like C and C++ are not memory safe, whereas Rust, a memory-safe language, has not yet been proven in critical aerospace systems.

OpenAI are building a team to stop super AI going rogue

The ONCD stresses the role of software and hardware creators in developing memory-safe hardware and software, suggesting that stakeholders focus on new products in memory-safe languages or rewriting critical functions or libraries.

Developing empirical metrics to measure the cybersecurity quality of software is crucial, according to the report. This task is challenging due to the diverse and unpredictable nature of software, and the fast-paced evolution of software development. Metrics for software safety must be dynamic and open to continuous monitoring and change.

Gartner VP Analyst Paul Furtado highlighted the importance of minimizing security incidents, noting that companies might have a long journey ahead in reducing their attack surface as per the report’s suggestions. He pointed out the reliance on underlying code libraries and the existing tech debt that needs addressing to mitigate underlying risks.

World's first in vivo human gene editing trial goes without a hitch

Large tech organizations have shown support for the report’s recommendations. Juergen Mueller, Chief Technology Officer at SAP, stated that adopting memory-safe languages could enhance software security and protect critical infrastructure from cybersecurity threats. Jeff Moss, president of DEFCON and Black Hat, endorsed the recommendation, emphasizing that it could eliminate whole categories of vulnerabilities that have been inadequately addressed for decades.

The report highlights that cybersecurity responsibility extends beyond the chief information security officer to include chief information officers and chief technology officers. These leaders should focus on three major areas: software development, the analysis of software products, and ensuring a resilient execution environment.

The report serves as a call to action for both the technical and business communities, urging them to adopt memory-safe programming languages and develop robust metrics for software security to enhance overall cybersecurity resilience. By prioritizing these measures, organizations can better safeguard against cyberattacks and improve the reliability of their software systems. This proactive approach to cybersecurity can result in more predictable and secure computing environments, reducing downtime and the potential for vulnerabilities.

Matthew Griffin / About Author

Matthew Griffin, described as “The Adviser behind the Advisers” and a “Young Kurzweil,” is the founder and CEO of the World Futures Forum and the 311 Institute, a global Futures and Deep Futures consultancy working across the next 50 years, and is an award winning futurist, and author of “Codex of the Future” series.

Regularly featured in the global media, including AP, BBC, Bloomberg, CNBC, Discovery, RT, Viacom, and WIRED, Matthew’s ability to identify, track, and explain the impacts of hundreds of revolutionary emerging technologies on global culture, industry and society, is unparalleled. Recognised for the past six years as one of the world’s foremost futurists, innovation and strategy experts Matthew is an international speaker who helps governments, investors, multi-nationals and regulators around the world envision, build and lead an inclusive, sustainable future.

A rare talent Matthew’s recent work includes mentoring Lunar XPrize teams, re-envisioning global education and training with the G20, and helping the world’s largest organisations envision and ideate the future of their products and services, industries, and countries.

Matthew's clients include three Prime Ministers and several governments, including the G7, Accenture, Aon, Bain & Co, BCG, Credit Suisse, Dell EMC, Dentons, Deloitte, E&Y, GEMS, Huawei, JPMorgan Chase, KPMG, Lego, McKinsey, PWC, Qualcomm, SAP, Samsung, Sopra Steria, T-Mobile, and many more.