The Canadian Centre for Cyber Security (Cyber Centre) joined the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the following international partners to recommend to software manufacturers steps they can take to reduce customer risk by putting in place Secure-by-Design principles in their design and implementation practices:
- Australian Cyber Security Centre (ACSC)
- Computer Emergency Response Team New Zealand (CERT-NZ)
- National Cyber Security Centre New Zealand (NCSC-NZ)
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
These recommendations include using memory safe languages in their products. Memory safe vulnerabilities are a class of well-known and common coding errors that are routinely exploited by threat actors. Software manufacturers have historically spent significant resources to reduce their prevalence and impact, as well as analyze, patch, and publish new code to respond to vulnerability disclosures. Despite this effort, memory safe vulnerabilities remain a leading cause of software vulnerabilities. As a result, customers spend significant resources responding to these vulnerabilities through time-consuming patch management programs and incident response activities.
While there are several tactics to reduce the prevalence of memory unsafety, including hardware-based protections and modifying existing memory unsafe languages, using memory safe programming languages (MSLs) is the most promising way to reduce their prevalence and impact. Investments to migrate workflows and codebases to MSLs will save money in the long-term. Prioritizing MSLs will reduce this class of vulnerability.
The new guidance urges software manufacturers to create and publish memory safe roadmaps - a plan for how they will eliminate memory safety vulnerabilities in their products. By publishing memory safety roadmaps, software manufacturers will signal to customers that they are taking ownership of their security outcomes. This means embracing radical transparency and taking a top-down approach to developing secure products.