White House Calls on Software Devs to go ‘Memory Safe’ for a Secure Future

The White House Office of the National Cyber Director (ONCD) wants technology firms to adopt memory-safe programming languages and move toward security by design to reduce the number of vulnerabilities disrupting the nation’s digital ecosystem and better manage the evolving threat landscape.

The office released a report Monday detailing what it expects from the tech community to help avoid future cyberattacks against U.S. systems. The report also highlights the importance of eliminating memory-safety vulnerabilities that have been a primary reason for multiple cyberattacks for the past several decades including the Morris worm of 1988 and the Blastpass exploit of 2023.

“We, as a nation, have the ability — and the responsibility — to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory safe programming languages,” said National Cyber Director Harry Coker during a call with reporters. “The report released today outlines the threat and opportunity available to us as we move toward a future where software is memory safe and secure by design.”

The report comes almost a year after the National Cybersecurity Strategy notably put the burden for cybersecurity on software manufacturers. The report outlines two strategic approaches developers could take:

• Reduce the attack surface in cyberspace that adversaries can exploit by preventing entire classes of vulnerabilities from entering the digital ecosystem.
• Anticipate systemic security risk by developing better diagnostics that measure cybersecurity quality.

ONCD is also encouraging the research community to address the problem of software measurability to enable the development of better diagnostics to measure cybersecurity quality. The report outlines how more vulnerabilities can be anticipated and mitigated by advancing capabilities to measure and evaluate software security before software is released.

A senior official at the agency recognized the journey to “memory safe” will be a long one.

“Migrating to memory safe code, to be clear, could become a multi-decade effort depending on the size of the company and requires the attention and support of all,” the official told reporters. “The sooner we do it, and those who are able to move forward, will make an outsized impact on the security of our nation.”

The document also highlights how the new metrics will inform decision-makers, further improving the security of the digital ecosystem and incentivizing long-term investments in secure software development.

“I’m also pleased that we are working with, and calling on, the academic community to help us solve another hard problem: how do we develop better diagnostics to measure cybersecurity quality?” said Coker. “Addressing these challenges is imperative to ensuring we can secure our digital ecosystem long term and protect the security of our nation.”