The US government is calling on software manufacturers to publish “timely, complete, and consistent” documentation of security vulnerabilities to help improve efforts at measuring the quality and safety of code being generated.
A new technical report from the White House Office of the National Cyber Director (ONCD) said transparency around vulnerability documentation should include Common Vulnerability and Exposures (CVE) data and Common Weakness Enumeration (CWE) to help efforts to develop empirical metrics to effectively measure code.
“To make progress toward securing the digital ecosystem, it is necessary to realign incentives to favor long-term investments. For this realignment to generate ecosystem-wide behavior change, it is critical to develop empirical metrics that measure the cybersecurity quality of software,” the White House said.
“Ongoing work to improve how software quality and security are understood, including coordinated vulnerability disclosure, response programs, and timely CVE records, informs essential decision making throughout the ecosystem,” the government argued, noting that software measurability “is one of the hardest open research problems to address.”
The ONCD report [PDF] warns that the problem requires not only refining existing metrics or tools, but also the pioneering of a new frontier in software engineering and cybersecurity research.
“By advancing capabilities to measure and evaluate software security, more vulnerabilities can be anticipated and mitigated before software is released. The metrics developed from these measurements will also inform the decision-making of a broad range of stakeholders,” the agency added.
The ONCD report noted that analyzing software to evaluate its cybersecurity quality is limited by what can be quantified and warned that traditional methods, like counting known vulnerabilities, “are insufficient and do not necessarily provide insight into future threats or attack vectors.”
The White House also used the report to throw its weight behind an industry-wide push to switch to memory-safe programming languages to reduce vulnerabilities at scale and improve cybersecurity quality across the ecosystem.
“These approaches will be ambitious undertakings that will require persistent, multi-sector focus for the years to come,” the White House said. “Efforts must be made to proactively eliminate entire categories of software vulnerabilities.”
“One of the most impactful actions software and hardware manufacturers can take is adopting memory safe programming languages. They offer a way to eliminate, not just mitigate, entire bug classes. This is a remarkable opportunity for the technical community to improve the cybersecurity of the entire digital ecosystem.”
Related: Cost of Sandboxing Prompts Shift to Memory-Safe Languages
Related: Five Eyes Agencies Publish Guidance on Memory Safety Bugs
Related: CISA Intros Secure-by-design and Secure-by-default Principles
Related: Project Zero Says Zoom Platform Missed ASLR Exploit Mitigation
