As Building Blocks for the Digital World, Coding Must be Memory Safe and Secure
National Coding Week is upon us, and this is the perfect time to not only promote digital literacy skills across the country, but also to emphasize the importance of responsible and safe coding.
Coding gives us the ability to build things in the digital realm. Indeed, in our connected world, software is infrastructure that impacts our lives in ways ranging from inconvenience to life-threatening. How we build, and what “materials” we use to build our digital projects matters. You wouldn’t want buildings to be constructed with shoddy materials and poor design—doing so puts lives in danger. Luckily, we have guardrails such as certifications and building codes in place to increase construction integrity. In coding, however, no such guardrails exist, so we must identify ways to shift our practices.
Two of the most popular programming languages are C and C++ because they’re among the fastest to run and are used in many programs and operating systems – they’re also some of the oldest (developed in 1972 and 1983, respectively). So why not stick with the tried and true, you might ask? Since the 70s and 80s (which produced some of my favorite music, by the way) internet use exploded—with accompanying software, operating systems, and devices all built on this older code—and people found ways to exploit the system for criminal and adversarial gains.
At the same time, the methods by which attackers exploit systems and the mitigations for those methods have been studied for decades. We know that a majority of vulnerabilities in memory unsafe code are due to memory safety weaknesses. In memory unsafe languages like C and C++, developers are responsible for managing space in memory, and when a developer inevitably makes a mistake, this leads to vulnerabilities that allow attackers to hijack the code and often gain full control of a victim’s computer.
Memory unsafe code is everywhere now, and it’s full of holes that have given attackers the reach and scale to hold our systems for ransom, access our personal information, and steal our nation’s business and security secrets. We can develop the best cybersecurity defenses in the world, but until we make headway on the issue of software insecurity, we will remain at unnecessary levels of risk. That’s why CISA is leading the way on Secure by Design, a generational effort to build cybersecurity into the design and manufacture of the technology products that underpin our world. And while the problem of insecure code is broader than just memory unsafety, the shift to memory safe languages presents a clear opportunity to eliminate one common cause of vulnerabilities. As our Senior Technical Advisor and resident crypto-historian Bob Lord often says, “In what other industry would the market tolerate such well-understood and severe dangers for end-users for decades?”
One unique challenge that we’re working on is addressing supply of and demand for secure coding skills. On the demand side, we’re working with tech companies to increase adoption of Secure by Design principles and commit to certain standards. Part of this involves working with these companies to develop roadmaps toward memory safety in their codebases. Of course, this means altering the demand for programmers with knowledge and experience in security and memory safe languages.
On the supply side, we need to expand digital skills to a broader population so that more people can enter the field; at the same time, we must also ensure that security concepts are woven throughout computer science and coding education. To do so, we need to alter our instruction and learning pathways in academia and in the self-taught coding-community. In fact, on September 20th, we’ll be at the National Cybersecurity Education Colloquium to work with the community of Cybersecurity Centers of Academic Excellence (CAE) on incorporating Secure by Design principles into CAE requirements.
During National Coding Week, we call upon coding institutions to develop roadmaps toward weaving in security concepts and memory safe programming languages into curricula. This is where you, as the coding community, come in. We need your help. And we want to help you. What challenges and roadblocks can CISA help you with? Who can we partner with? A great example of government in action is our newly announced Request for Information for fostering security in the open source software ecosystem (responses close October 9th!). We hope you’ll join us in this monumental effort!