What Must IT Professionals Know About The White House Paper On Secure And Measurable Software?
By Fabien Chouteau, Global Technical Marketing Lead, AdaCore
In February 2024, The White House published its ONCD technical report, Back to the Building Blocks – A Path towards Secure and Measurable Software.* As an IT professional, several recommendations are essential to consider. For those engaged in toolchain development for memory-safe programming languages and formal verification frameworks, the insights from the ONCD hold profound relevance.
This article summarizes the main points that IT professionals need to know from this pivotal document.
Selection of Memory-Safe Programming Languages
Adopting memory-safe programming languages is a critical recommendation for mitigating vulnerabilities leading to security breaches.
Memory safety, a key concept in software development, addresses how an application handles memory operations, such as reading, writing, allocation, and deallocation. A memory-safe application operates within the bounds of its allocated memory (it doesn’t access or modify memory locations that it’s not allowed to access). Improper memory management can result in severe problems ranging from crashing the application to security vulnerabilities that attackers can exploit.
Memory safety issues, such as buffer overflows and use-after-free errors, are prevalent exploit vectors for attackers. Organizations can substantially diminish software vulnerabilities by leveraging languages engineered to preempt these issues. It is important to select a language that can offer avenues for developing secure software that is resilient against diverse cyber threats.
Consider the track record of the language you select, especially regarding prioritizing memory safety as a fundamental design element.
Introduce Formal Verification
Formal verification frameworks are instrumental in assessing the correctness of hardware and software design operations by applying formal mathematical proofs. As underscored by the ONCD, these frameworks are instrumental in ensuring the correctness of underlying algorithms within a system. By integrating formal verification into the development process, organizations can attain a higher level of assurance regarding the absence of specific errors or vulnerabilities in their software.
Additionally, formal verification facilitates compliance with regulatory requirements and industry standards by providing concrete evidence of software correctness and security.
Hardware Innovations
The ONCD advocates for the Capability Hardware Enhanced RISC Instructions (CHERI) architecture to bolster security through hardware-level innovations. CHERI offers protection against diverse cyber attacks by implementing fine-grained memory protection and control. This architecture provides a robust defense mechanism against sophisticated cyber threats.
Integrating CHERI architecture into existing hardware ecosystems enables organizations to bolster their resilience against various cyber threats, including memory corruption attacks and code injection exploits. Moreover, CHERI’s support for compartmentalization and privilege separation enhances the isolation of critical system components, further reducing the attack surface and mitigating the impact of potential security breaches.
Collaboration of the C-suite
The ONCD emphasizes the expanding responsibilities of CIOs and CTOs to collaborate with the CISO in ensuring cybersecurity within their organizations. Ultimate accountability for cybersecurity needs to rest with the CEO and board of directors, framing it as a business imperative. This is a proactive stance. It encourages integrating security considerations deeply into the business model and operational processes, thereby elevating cybersecurity to a core business imperative.
The report highlights the necessity for these leaders to not only understand the technical nuances of the cyber threats facing their companies but also to participate in developing and enforcing comprehensive cybersecurity strategies actively. By fostering a collaborative approach to cybersecurity governance, organizations can proactively address emerging threats and adapt to evolving regulatory requirements, ensuring long-term resilience in the face of cyber threats.
In conclusion, the ONCD report advocates a multifaceted approach to cybersecurity, emphasizing the pivotal roles of organizational leadership, advanced programming languages, formal verification, and innovative hardware architectures. As IT professionals operating at the nexus of software development and cybersecurity, you are responsible for championing and implementing these technologies. This imperative transcends mere technical challenges; it represents a strategic obligation for all organizations in the digital era.
About Fabien Chouteau
Fabien has been a software engineer with AdaCore for the past 14 years and is now the Technical Marketing Lead. Fabien joined AdaCore in 2010 after his engineering degree at the EPITA (Paris). He is involved in real-time, embedded, and hardware simulation technology. He is a maker/DIYer in his spare time; his projects include electronics, music, and woodworking.