Recent guidance from the Office of the National Cyber Director (ONCD), urging the universal adoption of memory-safe programming languages, has triggered concerns among experts who, while acknowledging the report’s assertion that employing memory-safe languages from the beginning improves cybersecurity, express caution regarding the potential costs and challenges associated with extensive overhauls of existing software into these languages. The comprehensive report emphasizes the availability of dozens of memory-safe programming languages that can be employed in the design and construction of new products. This strategic use of languages is highlighted by the potential positive impact on cybersecurity across various industries. Acknowledging the long-standing issue of cybersecurity vulnerabilities, the report suggests that using memory-safe programming languages is a key step in strengthening the resilience of digital systems.
However, despite the apparent advantages, experts offer a word of caution, noting the impracticality and associated risks linked with the migration of legacy code and information technology that was originally written in non-memory-safe languages. “Strategically focusing on eradicating memory-corruption vulnerabilities is crucial, due to their prevalence”, stated Chris Wysopal, co-founder and chief technology officer of Veracode.” However, completely rewriting existing software in memory-safe languages is impractical, expensive and could introduce new vulnerabilities.” While acknowledging the importance of this goal, Wysopal expresses reservations about the potential high costs involved and the risk of introducing new vulnerabilities during the migration process. This cautionary perspective highlights the difficult balance between the need for improved cybersecurity and the practical challenges associated with implementing these changes.
The report identifies critical systems, particularly those utilizing programming languages like C and C++, which lack important memory safety traits and are experiencing widespread proliferation. In response to this, experts advocate for a more comprehensive approach, involving more than memory-safe programming languages. They propose the implementation of additional runtime security measures, including memory protection, application sandboxing, and behavioral analysis. This strategy aims to create a more resilient cybersecurity framework by addressing vulnerabilities at various levels. The report also highlights the ongoing efforts by manufacturers to improve memory safety through hardware advancements, detailing initiatives such as testing new memory-tagging extensions. Even within the space technology sector, which adheres to “secure by design” principles and heavily relies on digital automation, the report emphasizes that it is not impervious to memory safety vulnerabilities. This acknowledgment highlights the universal challenges presented by cybersecurity vulnerabilities, even in highly advanced and technologically sophisticated domains.
Recognizing the potential benefits of memory-safe programming languages, experts collectively emphasize the need for a more comprehensive approach to cybersecurity. While the adoption of memory-safe languages is acknowledged as a positive step, experts caution against a singular focus, highlighting the importance of integrating additional measures. This comprehensive approach involves incorporating runtime security measures such as memory protection, application sandboxing, and behavioral analysis. The experts contend that solely emphasizing programming languages might not offer an all-encompassing solution to the diverse and evolving cybersecurity challenges experienced by the industry. These experts aim to address the dynamic nature of cyber threats and improve the overall resilience of digital systems by advocating for a broader strategy that combines various protective measures.
