ONCD asks software manufacturers to adopt memory safe languages

The White House Office of the National Cyber Director (ONCD) has released a new report asking software manufacturers to adopt memory-safe programming languages to help reduce vulnerabilities from entering the supply chain.

"For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way. This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem, and ultimately, the Nation", said Anjana Rajan, Assistant National Cyber Director for Technology Security.

ONCD asks software manufacturers to adopt memory-safe languages

For any reporting on this, I thought the below insights might be helpful from Chris Hughes, CISSP, chief security advisor at supply chain security startup, Endor Labs, and Cyber Innovation Fellow at the CISA, where he focuses on software supply chain security.

"If implemented, the recommendations can help eliminate systemic vulnerabilities impacting countless systems, applications, and software worldwide. It helps address entire classes of vulnerabilities that are pervasive across the software ecosystem and lead to countless vulnerabilities, exploits, and enabling malicious activity," said Chris.

"This is a good move to advocate for the adoption of memory-safe programming languages because it holds the potential to address longstanding vulnerabilities that plague systems despite being well-known and understood for decades. Additionally, it advocates for suppliers to make more risk-informed consumption and use of open source components, bringing better open source security and governance into the components included in products and shipped to customers, further mitigating risk from software supply chain attacks."

"The challenges implementing the recommendations are twofold: On one front, ONCD is asking suppliers to prioritize quality and security above other competing priorities such as speed to market, revenue, growth, and competition. Additionally, it may also require significant refactoring of existing products and software, which comes at a cost of labor, time, and more, and could detract from other goals such as growth and revenue, as well as delays in new features for existing consumers and customers of products. Many organizations may lack the development and engineering resources to perform the required refactoring of software, even if they were willing to place this as a priority above other competing requirements they face as a business."

"Manufacturers should implement secure software development methodologies such as NIST Secure Software Development Framework (SSDF) into their software development lifecycle. They should perform activities such as threat modeling for their products, implementing principles such as Secure-by-Design/Default, and being transparent with customers about the vulnerabilities and risks associated with the products they ship."