Fact Sheet: ONCD Report Calls for Adoption of Memory Safe Programming Languages and Addressing the Hard Research Problem of Software Measurability
ONCD Rallies Industry, Academia, and Civil Society to Join Effort
February 26, 2024
Read the full report here
Watch the video address here
Today, the Office of the National Cyber Director (ONCD) published a technical report entitled “Back to the Building Blocks: A Path Toward Secure and Measurable Software.” The report builds upon the President’s National Cybersecurity Strategy in describing the urgent need to address undiscovered vulnerabilities that malicious actors can exploit. The report outlines two strategic approaches to achieve this goal:
- Reduce the attack surface in cyberspace that our adversaries can exploit by preventing entire classes of vulnerabilities from entering the digital ecosystem and
- Anticipate systemic security risk by developing better diagnostics that measure cybersecurity quality.
This report complements other Biden-Harris Administration’s programs on secure-by-design and research and development efforts, including initiatives led by CISA, NSA, FBI, and NIST, among others. The United States Government recognizes that these approaches must be done in partnership with the technical community, which is well-positioned to take meaningful action to secure us in this decisive decade.
Securing the Building Blocks of Cyberspace
To reduce the attack surface, we must eliminate vulnerabilities at scale by securing the building blocks of cyberspace. Analysis of available common vulnerabilities and exposures (CVE) data identified memory safety vulnerabilities as one of the most pervasive classes of bugs for years.
Creators of software and hardware are best positioned to make progress on this endeavor. The highest leveraged method manufacturers can use to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language. Using memory safe programming languages can eliminate most memory safety errors. While in some distinct situations, using a memory safe language may not be feasible, in most cases, using a memory safe programming language is a scalable method to substantially improve software security.
Addressing the Software Measurability Problem
To anticipate other systemic risks to cyberspace, we must develop better metrics that can help us determine the cybersecurity quality of our software. Many organizations face risk from their software because of a lack of information that would otherwise help reduce further vulnerabilities – either by stopping them before they occur, finding them before they are exploited, or reducing their impact. However, creating such metrics is difficult because software is part of a dynamic and complex ecosystem.
The research community has a critical role in making progress in the science of measuring software. Software metrology is one of the hardest open research problems to address; cybersecurity experts have grappled with this problem for decades. This problem requires the refinement of existing metrics or tools, and pioneering efforts in software engineering and cybersecurity research. More vulnerabilities will be anticipated and mitigated by advancing capabilities to measure and evaluate software security before the software is released. The metrics developed will also inform the decision-making of a broad range of stakeholders, further improving the security of the digital ecosystem and incentivizing long-term investments in secure software development.
Public-Private Partnerships
The concepts in this report incorporate critical input received from leaders in the private sector, civil society, and academic communities. This includes public feedback from a Request for Information on Open-Source Software and Memory Safety from multiple nationwide technical workshops on Space Systems Cybersecurity.
As part of the launch of this report, ONCD is sharing statements of support for software measurability and memory safety from technical leaders of leading global organizations here.
ONCD will continue to work with public and private sector partners to implement these recommendations.
Read the complete Statements of Support here.
###