Light Dark
March 25, 2024 By Jennifer Gregory 3 min read
News

The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software.” The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages.

This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a goal of the Open-Source Software Security Initiative (OS3I), which recently released a new report.

What are memory-safe programming languages?

Memory bugs happen when a programmer writes code that causes an issue related to memory access. Common bugs happen with buffer overflows and dangling pointers. By using a memory-safe programming language such as Rust, Go, Java, Swift and Python, developers cannot create code that causes a memory bug because the language includes specific properties such as memory or type safety. When developers write code in non-memory safe languages such as C and C++, they can inadvertently write code that can cause memory access errors. Instead of catching the errors during compile time and runtime, as with memory-safe languages, the bugs make it into the final version and cause security issues.

While cybersecurity often focuses on reacting to threats, reducing risk starts by creating practices that reduce code errors that can create security issues. Google reported that 70% of severe security bugs are actually memory safety issues. Widely used programming languages such as C and C++ are often the culprit for many of the issues, especially due to pointer errors.

Using a memory-safe language significantly reduces or totally eliminates memory-safe vulnerabilities. This, in turn, reduces the cybersecurity risk of the final code. In addition to improved security, memory-safe languages also reduce crashes and allow developers to increase productivity because they do not need to focus on memory management issues.

ONCD report outlines two goals related to memory-safe languages

Reducing memory bugs is a complex issue that requires a multi-prong approach. The report focuses on getting organizations to focus on two specific areas related to memory-safe languages. Additionally, the government wants to focus on creating partnerships with the technical community, especially engineers and developers, to collaborate on making this key shift.

Here are the two main goals outlined in the fact sheet released with the report:

1. Reducing the attack surface in cyberspace

A smaller attack area means lower risk. Each line of code that creates vulnerabilities considerably expands the attack surface area. A single mistake that causes a memory-safe error can create a large number of vulnerabilities. The report recommends using a memory-safe programming language as one of the most effective ways of reducing the attack surface. With these languages, programmers cannot make the errors that lead to increasing the attack surface through memory bugs.

2. Anticipating systemic security risk

Many organizations are unable to accurately assess risk in their software because using metrics on constantly changing software is exceptionally challenging. While software measurability is a complex challenge, the shift starts by moving from being reactive to being proactive. By developing better diagnostics for cybersecurity quality, organizations can more accurately identify and proactively fix risks.

The reality of transitioning to memory-safe

While it’s easy to say organizations should use memory-safe languages, the reality is that this transition is complicated. Many software programs and libraries are based on non-safe memory-safe languages, and completely rewriting the entire codebase is often simply not feasible.

Starting a new project with a memory-safe programming language, whenever possible, is the simplest way to begin transitioning. Organizations can also reduce the attack surface without a total rewrite by rewriting only critical functions and libraries that are most at risk for memory-safe bugs, which often include areas with buffer overflows and dangling pointers. Some memory-safe languages, such as Rust and Swift, are interoperable with C and C++, making this approach feasible. When taking this approach organizations must integrate the build systems and build abstractions in the new language for shared objects and data.

However, making this transition requires the right developer resources. Organizations should start by evaluating their current developer team to determine what expertise the team currently holds in terms of memory-safe languages. The next step is training current developers as well as ensuring that new developers are skilled in memory-safe languages.

Moving forward with memory-safe programming languages

With the increased focus on cybersecurity, many organizations are realizing that the most important step is moving from a reactive to a proactive approach. By going back to the beginning and focusing on creating secure code, organizations can significantly reduce their risk. While it’s not a simple or quick process, the benefits of making this shift are meaningful and long-lasting.

 |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 18, 2024

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature