White House to release memory-safe code guidance in coming weeks

Casimiro/Getty Images

The U.S. and other intelligence partners have previously advised developers to adopt memory-safe programming languages.

The White House’s main cybersecurity directorate will be releasing a paper in the coming weeks on memory-safe software development in a bid to encourage public and private sector programmers to adopt practices that prevent hackers from compromising systems through code vulnerabilities.

The news was delivered by National Cyber Director Harry Coker in his first major speech to technology and cybersecurity professionals at a Wednesday Information Technology Industry Council event in Washington, D.C. 

Coker, the second confirmed individual to the post, has been in the job for just over seven weeks and used the speech as a way to outline various cyber priorities the office aims to usher in through a sweeping national strategy released last year. Those priorities include boosting the cybersecurity workforce and defending U.S. critical infrastructure.

“Some of the most dangerous vulnerabilities that criminals look to exploit are memory safety bugs, and memory-safe coding languages prevent those errors from ever making it into production,” Coker said at the event. “And yet, developers have been slow to adopt them, even though many have existed for years.” 

“In the coming weeks, you'll see us put out a paper that addresses both memory safety and software measurability,” he said. More details on the release date were not immediately available.

Memory vulnerabilities are rooted in software code flaws that hackers use to take control of systems. Memory safety is a property of certain programming tools that allocates memory automatically, helping to prevent human errors that open up software to memory-linked hacks. Those languages — which include C#, Go, Java, Python, Rust and Swift — were recommended to software developers in a December advisory from the U.S. and its Five Eyes intelligence partners.

In addition to changing programming environments to a memory-safe language, that guidance also recommends that developers create their own roadmaps to implement associated changes like software testing.

About two-thirds of software vulnerabilities are due to a lack of memory-safe coding, Cybersecurity and Infrastructure Security Director Jen Easterly said at the time of the release.

The ONCD in August put out a request for information asking for input on memory-safe language adoption and other areas connected to open source software.

Nextgov/FCW Staff Correspondent Alexandra Kelly contributed to this report.