Statements of Support for Software Measurability and Memory Safety
Read the full report here
Read the fact sheet here
Today, the Office of the National Cyber Director released a new Technical Report titled “Back to the Building Blocks: A Path Toward Secure and Measurable Software.” This report builds upon the President’s National Cybersecurity Strategy, addressing the technical community to tackle undiscovered vulnerabilities that malicious actors can exploit.
Leading technology companies, academics, and civil society organizations applauded the Biden-Harris Administration’s efforts and underscored the importance of software measurability and memory safety:
Industry
Mark Dankberg, Chairman and CEO, Viasat: “We applaud the White House and ONCD for its continued leadership in advancing cyber defenses and its outreach to the space community. This new technical report takes a positive step forward on a critical issue—the need for foundational safeguards against the root cause of many vulnerabilities across the software supply chain. Addressing vulnerabilities across systems and infrastructure, and ensuring resilient and diverse connectivity options are vital to national security interests. Space adds an important layer to this diversity but, by its nature, faces a distinct set of security challenges. We strongly believe in public-private partnership and are excited to align with ONCD on creative security approaches that go beyond just standard controls and reporting requirements.”
John Delmare, Global Cloud and Security Application Lead, Accenture: “Memory safety vulnerabilities pose a significant security risk to software systems and are a root cause of many of the most damaging cyberattacks. To address this, we need to adopt memory safe programming languages for new applications and rewrite code using modern memory safe languages with secure development practices from the start. We’re pleased to see the ONCD raise this issue because the integrity of the global software supply chain is critical for national and international security.”
Dan Guido, Chief Executive Officer, Trail of Bits: “The ONCD Report’s focus on memory-safe programming is a game-changer for cybersecurity, underscoring the urgent need to prioritize safety in our coding practices and drastically reduce vulnerabilities. At Trail of Bits, we stand firmly behind this crucial shift towards a safer digital future, leveraging formal methods to prove that these techniques are not merely theoretical ideals but practical necessities. Our experience has demonstrated that formal methods combined with memory-safe programming languages provide a robust framework for eliminating vulnerabilities with unparalleled precision. Trail of Bits is committed to supporting and advancing these practices, aligning our efforts with the report’s recommendations to foster a more secure digital ecosystem.”
Juergen Mueller, Chief Technology Officer, SAP: “As a market leader in enterprise application software, SAP practices secure-by-design principles to deliver safe and compliant products that help companies of all sizes and in all industries run better. Memory safety is an important aspect of SAP’s secure software development processes. We believe adopting memory-safe languages presents an opportunity to improve software security and further protect critical infrastructure from cybersecurity threats. We look forward to collaborating with the Administration on this important initiative to strengthen software assurance by prioritizing the use of memory-safe programming languages.”
Fidelma Russo, Executive Vice President and General Manager, Hybrid Cloud and Chief Technology Officer, Hewlett Packard Enterprise: “We commend Director Coker and the Administration for this initiative, which is an important response to the ever-evolving cyber threat landscape. Memory-safe computing prevents vulnerabilities before they can be exploited by threat actors, and will be a new internal standard at HPE for cloud-native development.”
Shyam Sankar, Chief Technology Officer, Palantir: “The Office of the National Cyber Director has written what will become mandatory reading for the entire technical community as it works towards maximizing the security of our shared digital ecosystem. By taking an engineering-first approach to cybersecurity policy, the White House is providing an actionable roadmap for reducing memory safe vulnerabilities and improving software measurement capabilities — both of which are necessary to ensure that all software innovators are doing their part to defend against daily cyber threats to U.S. national security. Palantir strongly supports the implementation of this report’s recommendations, and is committed to helping operationalize this critical framework for the entire industry. The White House should be commended for this exercise in leadership and we look forward to working with our partners across government and industry to elevate this new chapter in engineering-defined policymaking.”
Jason Urso, Chief Technology Officer, Honeywell Connected Enterprises: “Cybersecurity for operational technology (OT) networks associated with critical infrastructure is a paramount concern. Adding memory safe programming as part of the software design process will be a valuable addition to the cyber defense toolkit that includes network segregation, high security models, and real time threat and vulnerability assessments. We commend the Office of the National Cyber Director for considering mechanisms to protect our nation’s critical assets.”
Civil Society and Academia
Dan Boneh, Professor of Computer Science, Stanford University: “I read the White House report on ‘A Path Toward Secure and Measurable Software.’ It is impressive to see the White House take on the important topic of software security via the use of better programming languages. Memory safety bugs have led to numerous vulnerabilities in real-world systems. Software quality would be greatly improved if we could somehow wave a magic wand and have all existing software translated to a memory-safe language. Unfortunately, such a magic wand does not yet exist. The White House is taking a pragmatic approach, and is proposing to start this conversion with critical space systems, which is a good testing ground for the proposed approach. Preventing memory safety bugs is only the beginning of a long journey towards more secure software. Formal verification and confinement technologies are important tools in our arsenal, and I was happy to see that the White House is calling for further investment in these technologies.”
Sadie Creese, Professor of Computer Science, University of Oxford: “This is an exceptionally timely initiative. As the world increases its dependency on software and systems at ever increasing scale and speed, the potential for cyber-harm from malign actors also grows. Such harm can represent significant losses to commercial enterprises and risk to our critical infrastructures. We have always suffered from software weakness in our systems. Those of us working in cybersecurity continuously innovate risk controls to protect organisations. But our systems will only increase in complexity, dynamism and scale in the future; if we are to deliver cyber-resilience it is crucial that we seek to reduce those software vulnerabilities which form viable attack surfaces. Removing such unnecessary and preventable opportunity to compromise our systems will create space for our cybersecurity teams to focus on responding to more sophisticated and harder to detect styles of attack. This is essential as we have such limited capacity, we must create an operational environment which optimises our resources. Developing methods which allow us to measure the integrity of software and ensure memory safety will also be key to securing our global supply-chains, which we know are being targeted. This is crucial as our supply-chains are actually aggregating systemic cyber-risk. In short, I welcome the intervention of ‘Back to the Building Blocks: A path toward secure and measurable software’ and very much look forward to participating in the global community response.”
Katie Gray, Senior Partner, In-Q-Tel: “Securing our nation’s private and public sector organizations against malicious cyber activity is of paramount importance. Alongside large commercial entities and academia, the startup community has been focused on bringing novel, innovative solutions to market to address the tough problem of securing the software supply chain that underlies the U.S. economy. Startups also have an important role in developing the secure software of tomorrow, by making choices now – for example, using memory-safe programming languages and incorporating secure software development practices – that will make for a more resilient world.”
Jeff Moss, President of DEFCON and Black Hat: “Internet security problems are global problems, and solving them will require engagement from our Nation’s leaders. I commend the Office of the National Cyber Director for taking the important first step beyond high-level policy, translating these ideas into calls-to-action the technical and business communities can understand. I endorse the recommendation to adopt memory safe programming languages across the ecosystem because doing so can eliminate whole categories of vulnerabilities that we have been putting band-aids on for the past thirty years. As the report accurately states, responsibility for cybersecurity by design starts with the CEO and the board of directors and flows down to the chief technology officer, the chief information officer, and the chief information security officer.”
###