Tech companies need to switch to memory-safe programming languages to boost software security, the White House Office of the National Cyber Director (ONCD) has said.
Programming languages such as Rust help to protect against memory related vulnerabilities, which Microsoft has previously said accounts for up to 70% of all security vulnerabilities in software developed using unsafe languages.
This latest call from the White House comes as the US looks to service providers and software vendors to protect the nation's cyberspace as part of the March 2023 National Cybersecurity Strategy.
Finally fixing a 35 year issue
Memory-unsafe programming languages can leave software plagued with issues relating to memory access, which can be abused using double free, buffer overflow, and use after free vulnerabilities.
The report [PDF] issued by the ONCD stated that, “For over 35 years, this same class of vulnerability has vexed the digital ecosystem. The challenge of eliminating entire classes of software vulnerabilities is an urgent and complex problem. Looking forward, new approaches must be taken to mitigate this risk.
“The highest leverage method to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language. Using memory safe programming languages can eliminate most memory safety errors.”
Several calls have been made by a number of private and governmental bodies, with the NSA issuing guidance for developers on using memory-safe languages in November 2022, followed by a similar Cybersecurity & Infrastructure Security Agency (CISA) report a year later in December 2023.
The Biden administration has significantly stepped up collaborations between public and private institutions to collaborate on cybersecurity, as state-sponsored threat actors from China, Russia and Iran have increasingly targeted vital US infrastructure in highly disruptive attacks.
Via BleepingComputer