Software coding security
Fiscal 2023 Appropriations Bill Contains Provision Endorsing Memory Safety
The appropriations bill that Congress approved on Friday includes provisions for memory safety, according to a security researcher who worked with the U.S. Senate.
Jack Cable said in a Twitter post on Tuesday that Congress included a law in the fiscal year 2023 omnibus bill that requires the national cyber director to study memory safety in the government and report on the issue. The National Security Agency and the Cybersecurity and Infrastructure Security Agency have been considering the impacts of coding languages that do not automatically check and control memory management.
While Cable said the national cyber director is required to study the impacts of memory safety, the actual bill states that the director is only encouraged to do so, Nextgov reported Tuesday.
Bob Lord, a senior technical adviser at CISA, said around 67 percent of the vulnerabilities that the agency detects are associated with memory management issues. In a separate information sheet released in November, the NSA likewise pointed out that poor memory management can allow bad actors to compromise software and systems.
NSA said memory-safe languages like Javascript and Python can control how memory is allocated, accessed and managed, unlike the more commonly used languages such as C and C++. The agency recommends using safe languages whenever possible, but it warned that there are tradeoffs in doing so.
According to NSA, using memory-safe languages also means doing more work to get a program to work. However, the agency said manually reviewing code is also time- and labor-intensive and includes other costs such as those involved in post-cyberattack remediation.
NSA also recommended that developers use specific tools to test applications for memory mismanagement mistakes that bad actors can take advantage of.
Category: Cybersecurity