White House Unveils Guidance for Secure and Measurable Software Development

In a strategic  move towards enhancing national cybersecurity, the White House has released a comprehensive document titled "Back to the Building Blocks: A Path Toward Secure and Measurable Software." This report, aligned with President Biden's National Cybersecurity Strategy, underscores a key shift towards fortifying the foundational elements of application security, and more specifically promotes establishing robust metrics for such.  It identifies programming languages, hardware architecture, and formal methods as the primary building blocks, and emphasizes the importance of memory safety in programming languages as a critical factor in reducing vulnerabilities. Memory safety issues, which have plagued cybersecurity for decades, can be significantly mitigated by adopting memory-safe programming languages. The document points out that while languages like C and C++ are widely used in critical systems, they lack memory safety features, making them susceptible to a range of cyber threats.  The C and C++ programming languages underpin critical systems, operating systems, and applications used globally. They power critical database technology including Oracle, MySQL, MS SQL Server, and PostgreSQL as their efficiency, low-level control, and robustness often make them the go-to choice for handling vast amounts of data.

Acknowledging the memory safety concerns associated with C and C++, it's important to note that other widely-used programming languages come with their own unique challenges that can also result in vulnerabilities. Java, for example, is known for its reliability and extensive application, yet it can encounter complications from its garbage collection and exception handling processes, which, if not carefully managed, may cause both performance issues and security weaknesses. Python, praised for its ease of use and clarity, is not without its vulnerabilities; its dynamic characteristics can inadvertently facilitate code injection attacks in the absence of stringent input validation. JavaScript, which underpins much of the internet's functionality, is not exempt from security issues either, with cross-site scripting (XSS) and cross-site request forgery (CSRF) being notable risks, largely because of how it operates within web browsers.

To complement the use of memory-safe programming languages, the report also highlights the role of memory-safe hardware and formal methods. Memory-safe hardware, such as new memory-tagging extensions, can provide additional layers of protection against memory safety vulnerabilities. Formal methods, which use mathematical proofs to verify the correctness of software, are recommended as a tool for eliminating vulnerabilities beyond memory safety issues.

Phantom C/C++ code

Avoiding the use of C/C++ does not entirely eliminate the risk from certain attack vectors. Indeed, higher-level languages such as Python and Ruby can run Phantom C/C++ code using bindings to C/C++ and other methods for executing C/C++ code. This is evident from the Backslash CWE website. For instance, the buffer overflow page shows that, based on GitHub security advisories, Python is the most vulnerable technology. In this vulnerability, the PaddlePaddle package binds C++ code, which can be seen in this commit.

This evidence demonstrates that even if C/C++ aren't your main programming languages, third-party OSS packages using C could still pose a risk.

Addressing the Software Measurability Problem

The White House document delves into the challenges of measuring software security and the importance of developing empirical metrics for cybersecurity quality. It acknowledges the complexity of creating reliable and consistent measures for software security, given the dynamic and evolving nature of software development and cyber threats. The report calls for a concerted effort from the research community to advance the field of software measurability, which would enable the development of metrics that can inform decision-making by consumers, manufacturers, and policymakers.

The Backslash Security Take

Echoing these insights from the White House report, Backslash Security firmly believes in the need to refine the measurement of application security through the development of empirical, actionable metrics. The current state of application security tools, marked by a proliferation of offerings with poor effectiveness, has inevitably led us to this juncture. It's no surprise that with the quality and capabilities of these tools, the industry faces significant challenges in establishing reliable and uniform metrics that can adeptly navigate and adapt to the rapid pace of technological evolution and emerging threats.

To navigate these complexities, Backslash Security champions a comprehensive strategy that incorporates a broad spectrum of signals throughout an application's lifecycle to bolster its security posture. By harnessing insights from code reachability analyses, the Exploit Prediction Scoring System (EPSS), and infrastructure configuration assessments, we aim to discern the critical vulnerabilities that pose genuine threats from the sea of theoretical risks. This discernment is crucial, as the industry grapples with the pervasive issue of false positives—a problem that significantly undermines the trustworthiness of alerts generated by security tools.  The impact of false positives on application security cannot be overstated. They not only squander valuable time and resources but also erode the overall confidence of appsec teams and developers in the security processes. Once skepticism sets in, following the exhaustive pursuit of issues that ultimately prove inconsequential, reinstating faith in the system becomes a formidable challenge. This erosion of trust jeopardizes the efficacy of security measures and the overall protection of applications.

Backslash Security also empowers users to articulate these complex risk narratives with precision and transparency. By facilitating the export of vulnerability information in industry-standard formats like VEX (via CycloneDX), we ensure that Backslash customers can convey these detailed, actionable insights on software risk to stakeholders. This capability is key in cultivating a more enlightened and proactive application security ecosystem. 

Wrapping It Up

The White House's guidance on secure and measurable software development, alongside Backslash Security's commitment to refining application security metrics, represents a significant step forward in addressing cybersecurity challenges. By focusing on memory safety, the adoption of formal methods, and the importance of accurate risk assessment, we are laying the groundwork for a more secure application development environment. Our emphasis on reducing false positives and enhancing the clarity of risk communication further strengthens the foundation for resilient application security infrastructure. This collaborative approach between government directives and private sector innovation is crucial for enhancing the security and reliability of software applications across our interconnected landscape.

‍