RSAC: Decoding US Government Plans to Shift the Software Security Burden – Source: www.infosecurity-magazine.com

US government plans to boost software security by design were analyzed during the RSA Conference 2024.

During the event, Bob Lord, a senior technical advisor at the US Cybersecurity and Infrastructure Security Agency (CISA), said it was imperative to overcome accepted norms in regard to software security – that the security burden is placed on the end user, who are least able to understand the threat landscape, protect themselves, and respond to incidents.

He noted that when software vulnerabilities are exploited, the focus tends to be on blame the victims – for example, for not patching fast enough or not deploying multi-factor authentication (MFA).

However, the US government’s National Cybersecurity Strategy, published in 2023, seeks to redress this balance by shifting more security responsibility on the software manufacturers.

US government officials and cybersecurity experts discussed two key ways they are looking to achieve this shift during the conference.

Implementing Memory Safe Coding Languages

Numerous analyses have demonstrated that around two-thirds of critical vulnerabilities are memory safety issues, such as buffer overflows. For example, 70% of Microsoft common vulnerabilities and exposures (CVEs) are memory safety vulnerabilities.

These arise through the prevalent use of C/C++ coding language in software, which has no guardrails or safety mechanisms against memory issues.

Dr Dan Wallach, a program manager at the US Defense Advanced Research Projects Agency (DARPA), noted: “We keep seeing the same problems year after year.”

As part of efforts to reduce the reliance on C/C++ languages, in February 2024 the White House published a paper urging the tech industry to adopt memory safe programming languages.

However, Wallach acknowledged that ending reliance on C/C++ is no easy task, especially given many of the alternative memory safe languages are slower and use more memory.

Thankfully, the Rust programming language, which was first developed in the mid-2000s, now provides a viable option to replace C, as it doesn’t have the performance trade-offs that other languages have, and crucially, has a compiler checked memory safety guarantee.

How to Implement Rust Coding

Despite the growing popularity of Rust, implementing it widely will be a significant challenge given the extent of our current reliance on C. Wallach acknowledged this will need to be an incremental effort, starting with ensuring all new software is written in Rust.

This will require software manufacturers having the necessary incentives to make the necessary changes, including retraining their developers to be able to write in Rust.

Lord said: “We need to start making more demands on the software providers themselves so they start working on this with a real sense of urgency.”

Lord and Wallach also provided a roadmap for manufacturers to ensure their software is memory safe:

1. Have defined phases of implementing memory safe languages
2. Set out key milestones, such as the date after which the company will write code solely in memory safe languages
3. Build a developer training plan for writing code in Rust
4. Have a plan to deal with C/C++ dependencies
5. Have a transparency plan, in which regular updates are given
6. Be committed to the CVE process, being as transparent as possible about vulnerabilities
7. Commit to sharing your experiences of implementing memory safe languages with other organizations
8. Ensure the plan is signed by the CEO to demonstrate intent

Introducing Liability for Software Manufacturers

During a separate session at RSA, the panellists discussed how the US government can effectively shift liability for software security to manufacturers, thereby incentivizing secure by design practices.

Nick Leiserson, the assistant national cyber director for the Cyber Policy and Programs at the Office of the National Cyber Director (ONCD), said the White House’s goal is to ensure “some of the costs borne on users today will be borne by developers.”

Currently, the incentive for secure software development is not there due to the widespread use of software licenses that contain a limitation of liability – protecting manufacturers from potential litigation by end users.

Leiserson acknowledged that legislative changes will be needed to tackle the use these contracts, and the US government is currently going through an extensive process to understand how best to apply liability regimes for the unique nature of software.

“We don’t want liability for liability’s sake,” he emphasized.

James Dempsey, lecturer at the UC Berkeley School of Law, highlighted four steps the government needs to take to build such a liability regime:

1. Identify a legal framework
2. Define a standard of care
3. Construct a safe harbor
4. Address open-source software

Leiserson added that the government is not seeking a strict liability regime, but one that changes the incentive structures for manufacturers.

Incentives from Across the Ecosystem

Speaking to Infosecurity, Lord emphasized that the key to changing the behaviors of software manufacturers is incentives – and these come in a variety of forms.

The first stage is for the government to establish clarity around what “good” looks like in secure software development, and using that as a benchmark for what good and bad security outcomes are for end users.

He would like to see software firms engage in “radical transparency” in this regard – talking about their security programs and what they have found does and doesn’t work and full disclosure of vulnerabilities, including root cause analysis.

This needs to be coupled with what Lord described as the “demand signal” – customers understanding what good looks like, and asking software to be built according to these principles.

“We need the customers to start making that part of their procurement process,” he said.

Lord added that incentives are also the key to ensuring software developers are trained in using memory safe programming languages. This includes within the education system, where he acknowledged it takes times to bring the curriculum up to speed in this regard.

However, this will be achieved much faster if software manufacturers require their programmers to know how to write memory safe code.

“The demand signal from companies is a factor in how many institutions teach, so as long as the hiring managers have jobs that are advertised as C/C++ programmers, universities are going to do the rational thing and take that into account,” explained Lord.