The Cybersecurity and Infrastructure Security Agency is urging the software industry to embrace the use of memory safe programming languages as part of a wider effort to eliminate security vulnerabilities in code.
CISA called for the changes alongside a push to embrace secure-by-design practices during the software development stage and to increase the security of open source software.
The White House Office of the National Cyber Director in August issued a request for information on open source security, which sought input on the development of memory safe languages.
Bob Lord, senior technical advisor at CISA, urged software developers to make the elimination of memory safety vulnerabilities from product lines a goal at their companies, in a blogpost released Wednesday. ‘
Software makers should begin the process by publishing a “memory safety roadmap,” which details information about how companies are modifying their software development lifecycle, Lord wrote in the blog.
The roadmap can include details such as the date by which a software company would start building products in memory safe languages as well as outline plans to support memory safety initiatives in open source libraries.
“Memory unsafety has plagued the software industry for decades and will continue to be a major source of vulnerabilities and real-world harm until top business leaders from the software manufacturers make appropriate investments and take ownership of the security outcomes of their customers,” Lord wote in the blog.
Memory safety issues account for upwards of 70% of security vulnerabilities found in software, according to estimates by Google.
Brian Fox, CTO and co-founder of Sonatype, said issues like null pointers and buffer overflows, which are symptoms of unsafe memory usage, account for a significant percentage of vulnerabilities.
CISA Director Jen Easterly noted the use of unsafe languages like C and C++ have become a favorite target for malicious attacks, because the languages are among the fastest to run and are widely used in many programs and operating systems, she said in a Monday blogpost.
CISA participated in the 2023 National Cybersecurity Education Colloquium on Wednesday and called on education institutions to weave the use of memory safe programming into their lesson plans.