Connect with us

Hi, what are you looking for?



US Gov Says Software Measurability is ‘Hardest Problem to Solve’

White House calls for the “timely, complete, and consistent” publication of CVE and CWE data to help solve the security metrics problem.

Software Security

The US government is calling on software manufacturers to publish “timely, complete, and consistent” documentation of security vulnerabilities to help improve efforts at measuring the quality and safety of code being generated.

A new technical report from the White House Office of the National Cyber Director (ONCD) said transparency around vulnerability documentation should include Common Vulnerability and Exposures (CVE) data and Common Weakness Enumeration (CWE) to help efforts to develop empirical metrics to effectively measure code.

“To make progress toward securing the digital ecosystem, it is necessary to realign incentives to favor long-term investments. For this realignment to generate ecosystem-wide behavior change, it is critical to develop empirical metrics that measure the cybersecurity quality of software,” the White House said.

“Ongoing work to improve how software quality and security are understood, including coordinated vulnerability disclosure, response programs, and timely CVE records, informs essential decision making throughout the ecosystem,” the government argued, noting that software measurability “is one of the hardest open research problems to address.”

The ONCD report [PDF] warns that the problem requires not only refining existing metrics or tools, but also the pioneering of a new frontier in software engineering and cybersecurity research. 

“By advancing capabilities to measure and evaluate software security, more vulnerabilities can be anticipated and mitigated before software is released. The metrics developed from these measurements will also inform the decision-making of a broad range of stakeholders,” the agency added.

The ONCD report noted that analyzing software to evaluate its cybersecurity quality is limited by what can be quantified and warned that traditional methods, like counting known vulnerabilities, “are insufficient and do not necessarily provide insight into future threats or attack vectors.”

The White House also used the report to throw its weight behind an industry-wide push to switch to memory-safe programming languages to reduce vulnerabilities at scale and improve cybersecurity quality across the ecosystem. 

Advertisement. Scroll to continue reading.

“These approaches will be ambitious undertakings that will require persistent, multi-sector focus for the years to come,” the White House said. “Efforts must be made to proactively eliminate entire categories of software vulnerabilities.”

“One of the most impactful actions software and hardware manufacturers can take is adopting memory safe programming languages. They offer a way to eliminate, not just mitigate, entire bug classes. This is a remarkable opportunity for the technical community to improve the cybersecurity of the entire digital ecosystem.”

Related: Cost of Sandboxing Prompts Shift to Memory-Safe Languages

Related: Five Eyes Agencies Publish Guidance on Memory Safety Bugs

Related: CISA Intros Secure-by-design and Secure-by-default Principles

Related: Project Zero Says Zoom Platform Missed ASLR Exploit Mitigation

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...