Plaintext: Stomping Out Those Memory Flaws

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Sophos . In this issue of Plaintext, we dig into the ONCD report outlining the case for memory-safe languages. We dip into the shadowy world of surveillance technologies and how governments are using them to spy on individuals around the world. If you enjoy Plaintext, please share with friends and colleagues!

Stomp Out Those Memory Bugs. The White House Office of the National Cyber Director (ONCD) called on technology manufacturers to shift away from C, C++, and machine code in favor of memory-safe programming languages – such as Python, Java, and Rust. The idea is to eliminate the possibility of memory vulnerabilities (such as buffer overflows) in software. That could make a significant impact, with some estimates going as high as eliminating 70% of vulnerabilities. However, expecting full rewrites of existing software is not realistic. It's also worth noting that memory-safe languages have their own set of vulnerabilities , too.

The amount of refactoring of existing products and software will incur significant costs, in terms of labor and time to make those changes as well as impact to business goals such as slower time-to-market, delays in new features, and growth. "Many organizations may simply lack the development and engineering resources to perform the required refactoring of software, even if they were willing to place this as a priority above other competing requirements they face as a business," said Chris Hughes ( Chris H. ), a Cyber Innovation Fellow focusing on software supply chain at the Cybersecurity & Infrastructure Security Agency.

“While one can argue the value of the government favoring one programming language over another, they are correct in the fact that software security is increasingly important, and that software developers need to increase their focus on producing secure software.” John Allison , Checkmarx

The idea of using memory-safe languages is pretty well-established . The open source ecosystem has already moved away from non-memory-safe languages, with new development focusing on JavaScript, Python, Typescript, and Java, which — assuming modern versions — all have memory-safety features. And many – if not most – modern enterprise software and mobile apps are already written memory-safe languages, noted Jeff Williams , co-founder and CTO at Contrast Security. The memory issues are prevalent in code that is buried deep in legacy code entrenched in infrastructure .

However, more and more companies are beginning to rewrite the core code in languages such as Rust to take advantage of those memory protections and type safety. Microsoft, for example, has written thousands of lines of Rust for the Windows kernel, slowly replacing the original C++ implementation, said Michal Erquitt ( Michael E. ), a senior security engineer at Security Journey. And Microsoft is not the only one. Cloudflare, Dropbox, Discord, Google, and Meta have all incorporated Rust in recent months.

Dark Reading in Plaintext is brought to you by Sophos

The 2023 Active Adversary Report for Security Practitioners The remarkable decline in attacker dwell time is now well-documented, but what does that mean for those doing the hands-on work of infosecurity? Deep dive into this report to learn more .

The Dark World of Surveillance. U.S. Senator Ron Wyden (D-Ore) has banging on the anti-surveillance drum for years. Today, Sen. Wyden sent a letter urging the Biden Administration to set minimum cybersecurity standards for telecommunications companies and wireless carriers, noting that lax controls expose individuals to surveillance by foreign governments. There is a whole shadowy world of commercial surveillance vendors offering a variety of tools and services that can be used to monitor and collect data from high-risk individuals such as journalists, human-rights activists, political dissidents, and opposition party politicians.

Earlier this month, Google’s Threat Analysis Group released Buying Spying , an analysis of entities involved in developing, selling, and deploying spyware. A chilling finding from the report: "If governments ever claimed to have a monopoly on the most advanced cyber capabilities, that era is over.?The private sector is now responsible for a significant portion of the most sophisticated tools we detect."

What We Are Reading

• (Sophos ) The 2023 Active Adversary Report for Tech Leaders
• The evolution of cloud applications is making the case for pentesting-as-a-service .
• How Neurodiversity Can Help Fill the Cybersecurity Workforce Shortage
• Ransomware payments : $1.1 billion?
• DR Global: Africa’s Biggest Cybersecurity Hurdles
• Metrics are hard. Check out these 10 metrics categories CISOs should present to the board .

What We Heard On-Air

Tune in to our on-demand webinar?“Tricks to Boost Your Threat Hunting Game ” to learn about how threat hunting can make a difference in your organization.

“Each SOC is a snowflake.” Roselle Safran , CEO and Founder of KeyCaliber

From Our Library

Check out some of the latest reports from our?Dark Reading Library .

• (Sophos ) Lessons From the Cyber Frontline
• Dark Reading Research: How Enterprises Assess Their Cyber Risk
• Tech Insight: Industrial Networks in the Age of Digitization
• Dark Reading Research: Zero-Trust Adoption Driven by Data Protection and Regulatory Compliance
• InformationWeek: How to Build a Strong IT Risk Mitigation Strategy

On That Note

Mark your calendars for Dark Reading’s first Virtual Event of 2024: March 21, 2024 for “Cybersecurty’s Hottest New Technologies: What You Need to Know.” Tune in to hear Alberto Yepez, managing director of Forgepoint Capital, outline the cybersecurity ecosystem and highlight game-changing cybersecurity technologies. Rink Sethi, CISO of Bill.com will offer the CISO’s guide to next-generation defenses. The full-day virtual event includes panel discussions on AI, cloud, and SecOps. Register your seat so that you don’t miss out!

Dark Reading in Plaintext is brought to you by?Sophos