Global security agencies push for memory safe roadmaps to address software vulnerabilities, boost cybersecurity

Software manufacturers have been urged by global security agencies to tackle memory safety vulnerabilities and incorporate secure-by-design principles. The document urges senior executives at every software manufacturer to reduce customer risk by prioritizing design and development practices that implement memory safe programming languages (MSLs). Additionally, the agencies urge software manufacturers to create and publish memory safe roadmaps that detail how they will eliminate these vulnerabilities in their products. 

By publishing memory safe roadmaps, manufacturers will signal to customers that they are taking ownership of security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products. 

Titled ‘The Case for Memory Safe Roadmaps,’ the document details how software manufacturers can transition to MSLs to eliminate memory safety vulnerabilities. The guidance provides manufacturers with steps for creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products in line with key secure-by-design tenets.

Memory safety vulnerabilities are the most prevalent type of disclosed software vulnerability, which are well-known and common coding errors that malicious actors routinely exploit, according to the document released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the National Security Agency, Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, U.K.’s National Cyber Security Centre, New Zealand National Cyber Security Centre, and Computer Emergency Response Team New Zealand. 

The types of memory-related coding errors mentioned in the guidance document include buffer overflow, use after free, use of uninitialized memory, and double free. Exploiting these vulnerabilities could allow malicious actors to access or corrupt data, or run arbitrary malicious code with the same privilege as the system owner.

The guidance said that these vulnerabilities represent a major problem for the software industry as they cause manufacturers to continually release security updates and their customers to continually patch. They persist despite software manufacturers historically expending significant resources attempting to reduce their prevalence and impact through various methods, including analyzing, patching, publishing new code, and investing in training programs for developers. 

Customer organizations expend significant resources responding to these vulnerabilities through onerous patch management programs and incident response activities. 

Over the past few decades, software developers have continually sought to address the prevalence and impact of memory safety vulnerabilities within their software development life cycle (SDLC) through mitigation methods. Despite these continued efforts, memory safety has remained a leading cause of disclosed vulnerabilities in software products. Nevertheless, these mitigations remain valuable, especially when used in combination, to protect code that has not yet, or cannot be, transitioned to MSLs.

“Research shows that roughly 2/3 of software vulnerabilities are due to a lack of memory safe coding. Removing this routinely exploited security vulnerability can pay enormous dividends for our nation’s cybersecurity but will require concerted community effort and sustained investment at the executive level,” Jen Easterly, CISA director, said in a media statement. “It’s way past time for us to get serious about protecting all software customers and implement Secure by Design principles into baseline product development to eliminate these types of threats once and for all.” 

“Memory safety vulnerabilities affect software development across all industries,” according to Neal Ziring, technical director of the NSA Cybersecurity Directorate. “Working together to set clear goals and timelines in transition roadmaps to safer programming language is critical for mitigating these problems.”

The guide urges executives of software manufacturers to prioritize using MSLs, write and publish memory safe roadmaps, and implement changes to eliminate this class of vulnerability and protect their customers. Software developers and support staff should develop the roadmap, which should detail how the manufacturer will modify their SDLC to reduce and eventually eliminate memory unsafe code in their products. 

The guidance also provides a clear outline of elements that a memory safe roadmap should include. By creating a memory safe roadmap, manufacturers will signal to customers that they are embracing key ‘secure by design’ principles of taking ownership of their security outcomes, adopting radical transparency, and taking a top-down approach.

The document also recommends that software manufacturers create roadmaps for the utilization of, and transition to, MSLs. The transition will enable memory safe programming languages to mitigate memory-related vulnerabilities and reduce the products’ attack surface. Recommended memory safe programming languages mentioned in the CSI include C#, Go, Java, Python, Rust, and Swift. Software manufacturers should evaluate multiple memory safe programming languages before integrating them into their workflows.

It also includes technical and non-technical factors for software manufacturers to consider when developing their roadmap. These include picking a memory safe language, staff capabilities and resourcing, and prioritization guidance. 

Additional guidance includes elements that should be part of the roadmaps, including defined phases with dates and outcomes, dates for MSLs in new systems, internal developer training and integration plans, external dependency plans, transparency plans, and CVE support program plans.

Last week, CISA published its initial document in the secure by design alert series that focuses on malicious cyber activity against web management interfaces. It brings attention to how customers would be better shielded from malicious cyber activity targeting these systems if manufacturers implemented security best practices, eliminated repeat classes of vulnerabilities in their products, and aligned their work to secure by design principles.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.