Software makers need to embrace the growing number of newer programming languages that protect memory to reduce the number of security vulnerabilities in their products, according to cybersecurity agencies in the United States and other countries.
The U.S. Cybersecurity and Infrastructure Security Agency this week released a report outlining steps software developers can take to create roadmaps for migrating away from C and C++ and adopting memory safe programming languages like Rust, C#, Go, Java, Python, and Swift.
The lack of memory safe coding is behind as much as two-thirds of all software vulnerabilities, according to CISA Director Jen Easterly.
According to the report, memory safety vulnerabilities affect how many is accessed, written, or allocated in ways that aren't intended in the programming languages.
Bad actors may be able to manipulate software to make certain requests that may exploit vulnerabilities.
According to the report, about 70% of Microsoft CVEs and of flaws in Google's Chromium project are memory safety vulnerabilities.
For Mozilla, 32 of 34 critical- or high-rated flaws fell into this category.
Such flaws - which include buffer overflows, use of uninitiated memory, and use after free - come at a cost for both the software manufacturers and their users.
The report lays out various mitigation methods used by software makers that have fallen short in stemming the problem, including developer training, code coverage, secure coding guidelines, and fuzzing to reduce the prevalence of such vulnerabilities, as well as those - such as non-executable memory, control flow integrity, and sandboxing - to reduce their impact.
That said, these efforts are still valuable, particularly as organizations undertake the shift to memory safe languages or to protect code that hasn't yet been - or can't be - transitioned to such languages.
CISA and the other agencies involved in the report - including the FBI and National Security Agency as well as cybersecurity agencies in the UK, Canada, Australia, and New Zealand - said organizations need to start creating a roadmap that will guide them to eventually using memory safe languages.
Doing so will let users know that the manufactures are taking ownership of security outcomes, adopting extreme transparency, and using a top-down approach, according to CISA. In their roadmaps, organizations need to pick use cases that are appropriate for different memory safe languages, fire out how they'll train staff on the new languages, and start with smaller projects so developers can learn new tools and processes.
They also can prioritize security-critical code, figure out how to deal with code that is bound to the CPU, plan time for developers to learn new languages and to integrate new staff.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 07 Dec 2023 18:43:07 +0000