Cyber agencies call on software developers to improve memory safety

By

C, C++ no longer fit for purpose.

Old favourites among software developers like C and C++ can’t guarantee memory safe software and should be replaced, according to 'Five Eyes' countries’ cyber security agencies.

Cyber agencies call on software developers to improve memory safety

As part of their ongoing “secure by design” effort, the agencies have called on software developers to adopt memory-safe programming languages.

Memory safety failures are responsible for the lion’s share of software vulnerabilities, the five-eyes sponsored document explains: 70 percent of common vulnerabilities and exposures (CVEs) in each of Microsoft’s products and Google’s Chromium project, and 32 out of 34 high- or critical-rated CVEs in Mozilla.

Hence the focus on memory safety by the cyber security agencies of America, Canada, Australia, the UK and New Zealand.

The document explains that memory safety vulnerabilities are the most prevalent class of disclosed bug.

Familiar vulnerability types in this class include buffer overruns and use-after-free bugs, and give attackers a vector to “illicitly access data, corrupt data, or run arbitrary malicious code”.

“The pervasiveness of memory unsafe languages means that there is currently significant risk in the most critical computing functions," the joint paper notes.

The agencies also “strongly encourage software manufacturers to write and publish memory safe roadmaps.”

This, the paper said, signals that software vendors are embracing the secure by design principles of taking ownership of their security outcomes; adopting “radical transparency”; and taking a top-down approach to developing secure products.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

RBA reveals three-year project to upgrade payment IT systems

RBA reveals three-year project to upgrade payment IT systems

CBA backs GitHub automations to get new features to customers faster

CBA backs GitHub automations to get new features to customers faster

NAB decommissions 26-year-old Teradata platform

NAB decommissions 26-year-old Teradata platform

BoQ pressured to reveal automation impact

BoQ pressured to reveal automation impact

Log In

  |  Forgot your password?