The Office of the National Cyber Director (ONCD) emphasizes the urgent need for developers to adopt memory-safe programming languages like Rust to minimize vulnerabilities in software. The ONCD's "Back to the Building Blocks: A Path Toward Secure and Measurable Software" report is a strong recommendation rather than an executive order or law.
What Is ONCD's Recommendation for Secure Software Development?
Memory-unsafe languages such as C and C++ have long been a staple in software development, but significant cybersecurity risks have also accompanied it. As Anjana Rajan, the ONCD Assistant National Cyber Director for Technology Security, points out, past catastrophic cyber incidents like the Morris worm and the Heartbleed vulnerability have often stemmed from memory safety vulnerabilities.
The prevalence of security bugs in the C language is a significant issue. Almost 50% of reported vulnerabilities in the seven most widely used languages over the past decade were in C. While factors like its longevity and widespread use can contribute to this statistic, Kees "Case" Cook, a Google Linux kernel security engineer, notes that C's inherent weaknesses and undefined behaviors make it prone to security flaws.
The growing endorsement of memory-safe languages like Rust by industry giants such as Microsoft further emphasizes the need for a fundamental shift in programming practices. Microsoft Azure's CTO Mark Russinovich advises developers to avoid using C or C++ and opt for Rust. This aligns with Microsoft's ongoing efforts to rewrite core libraries in Rust and integrate them into their products, like Microsoft 365. This has significant implications for the security community, as it signals a shift towards safer programming languages and the potential abandonment of traditional languages like C and C++.
From the perspective of a Linux admin, infosec professional, internet security enthusiast, or sysadmin, ONCD's report highlights the immediate impact and long-term consequences of using memory-unsafe languages. The report prompts critical thinking and raises important questions regarding the security of existing codebases. It also serves as a call to action for these professionals to consider adopting memory-safe languages and implementing advanced diagnostics to improve software security.
Our Final Thoughts on ONCD's Recommendation
The recommendation from the White House's Office of the National Cyber Director to move towards memory-safe programming languages like Rust sheds light on the critical issue of software vulnerabilities. Making informed decisions in software development can help minimize cybersecurity risks. Industry leaders' growing endorsement of memory-safe languages and the potential long-term consequences for traditional languages like C and C++ should prompt a renewed focus on software security and adopting safer programming practices.
What are your thoughts on ONCD's recommendation? Do you agree or disagree? Connect with us on X @lnxsec and let's have a discussion!