Blog

ONCD Report: Secure and Measurable Software

Written by Bola Ogbara | Mar 1, 2024 2:45:46 PM

The new ONCD report discusses secure software development practices and metric-building goals that will enhance cybersecurity. 

On February 26, 2024, the White House Office of the National Cyber Director (ONCD) released a report on a path toward secure and measurable software. The document answers to two goals outlined in the National Cybersecurity Strategy - to “rebalance the responsibility to defend cyberspace” and to “realign incentives to favor long-term cybersecurity investments.” The report centers on the technical means of improving the security of software and hardware and the issue of software measurability. 

 

The report explains that currently, most of the responsibility of cybersecurity crisis response rests on the shoulders of users, when the manufacturers should be doing more to prevent and respond to cyber emergencies. The push for secure-by-design software has been an important part of the Cybersecurity and Infrastructure Agency’s (CISA) work. Jen Easterly, director of CISA has said that “ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem”. CISA recently established a Secure by Design Alert Series, which calls out “vulnerability or intrusion campaigns that could have been reasonably avoided if the software manufacturer had aligned to secure by design principles.”  

 

The report implores software manufacturers to consider publishing complete Common Vulnerability and Exposures (CVEs) data, as well as the Common Weakness Enumeration (CWE), which have shown memory safety problems to be the base of many cyber vulnerabilities. According to Microsoft, around 70% of patched CVEs in software written in unsafe languages are due to memory safety issues.  

 

To limit memory safety vulnerabilities, the ONCD report suggests that creators of software and hardware can secure building blocks of cyberspace, like programming languages. Some programming languages, like C and C++ are associated with memory safety issues and high proliferation in critical systems. Instead, manufacturers should aim to use memory-safe programming languages, like Rust. Hardware especially needs to be memory-safe, as cyberspace makes its way into outer space. New technologies like the memory-tagging extension (MTE) and the Capability Hardware Enhanced RISC Instructions (CHERI), by the University of Cambridge are examples of hardware that make devices more memory-safe. The ONCD also recommends that software developers use formal methods like sound static analysis, model checkers, and assertion-based testing during the development and/or in their software supply chain. 

 

The last pillar of the report addresses the difficulties with creating metrics that can capture the cybersecurity quality of software. Software varies significantly from program to program depending on their creators, and most means of analyzing software like looking at known vulnerabilities don’t yield information that could help combat future attacks. If a cybersecurity metric is generated, it could help manufacturers more easily see where to improve, visualize their strengths and weaknesses in charts and graphs, and give them an action plan before the software is released. 

 

The ONCD report not only highlights the technical aspects of software and hardware security but also addresses the need for a holistic and proactive strategy. By urging collaboration between government agencies, manufacturers, and developers, it sets the stage for a more secure and resilient cyberspace that aligns with the goals outlined in the National Cybersecurity Strategy.