Guide encourages software manufacturesto address memory safety vulnerabilities and implement secure by design principles.
WASHINGTON - Today, the Cybersecurity and Infrastructure Security Agency, in partnership with the National Security Agency, Federal Bureau of Investigation, and international cybersecurity authorities from Australia, Canada, New Zealand, and the United Kingdom, published a joint guide, The Case for Memory Safe Roadmaps: Why both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, as part of our collective Secure by Design campaign to address the critical issue of memory safety vulnerabilities in programming languages.
Memory safety vulnerabilities are the most prevalent type of disclosed software vulnerability; they affect how memory can be accessed, written, allocated, or deallocated in unintended ways in programming languages.
As the most prevalent vulnerability, software manufacturers are consistently releasing updates that their customers must continually patch.
Previous attempts at solving the problem have made only partial gains, and currently, two-thirds of reported vulnerabilities in memory unsafe programming languages still relate to memory issues.
The guide strongly encourages executives of software manufacturers to prioritize using memory safe programing languages, write and publish memory safe roadmaps and implement changes to eliminate this class of vulnerability and protect their customers.
Software developers and support staff should develop the roadmap, which should detail how the manufacturer will modify their software development life cycle to dramatically reduce and eventually eliminate memory unsafe code in their products.
This guidance also provides a clear outline of elements that a memory safe roadmap should include.
By creating a memory safe roadmap, manufacturers will signal to customers that they are embracing key Secure by Design principles of taking ownership of their security outcomes, adopting radical transparency, and taking a top-down approach.
With our partners, CISA encourages stakeholders, partners, and software manufacturers to review the guide and implement recommended action.
About CISA. As the nation's cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
This Cyber News was published on www.cisa.gov. Publication date: Wed, 06 Dec 2023 18:43:05 +0000