mission critical software should abandon C
October 31, 2024
It's the government's toughest stance yet on software security, and warns manufacturers to eliminate dangerous programming practices or face charges of negligence.
The federal government is warning about dangerous software development practices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are issuing strong warnings about security breaches that continue to impact critical infrastructure.
A recent report issued jointly by CISA and the FBI on insufficient product security controls warns software manufacturers against using memory-insecure programming languages such as C and C++.
“Development of new product lines for use in critical infrastructure or [национальных критически важных функциях] NCF in a memory-insecure language (such as C or C++), when there are alternative memory-safe languages available that can be used, poses a threat and significantly increases the risk to national security, national economic security, and public health and safety.” , says the report.
Three categories
The report states that bad practices fall into three categories:
Product properties that describe the observable safety-related qualities of a software product.
Security features, which describe the security functionality supported by the product.
Organizational processes and policies that describe the actions a software manufacturer takes to ensure transparency about security issues.
The report says it is intended for software manufacturers who develop software products and services, including on-premise software, cloud services and software as a service (SaaS), used to support critical infrastructure, or NCF.
Avoid bad practices, follow best practices
In addition, the report also calls on all software manufacturers to avoid these practices that are harmful to product safety. “By following the recommendations in this guide, manufacturers will show customers that they take responsibility for customer safety, a key principle of Safety by Default,” the report states.
“This guidance is certainly a continuation of earlier US government announcements on this issue in 2022, which encouraged technology providers and enterprise solution users to move to memory-safe languages,” said Brad Shimmin, an analyst at Omdia.
“Fortunately, neither this document nor the US government is calling for an immediate transition from C/C++ to Rust – this is just one example,” he said. “The CISA Security by Default document recognizes that software developers simply cannot migrate their codebases en masse in this manner.”
This guidance, although voluntary, represents CISA's strongest stance yet on basic security practices. It warns companies about what constitutes careless software development practices when it comes to critical infrastructure.
The clock is ticking
However, time is ticking for software makers. Companies have until January 1, 2026 to make memory security plans.
“For existing products written in memory-insecure languages, the lack of a published roadmap to achieve memory security by January 1, 2026 is dangerous and significantly increases the risk to national security, national economic security, and public health and safety,” the report states. .
Additionally, default passwords should be removed from administrator accounts by this date. These timelines indicate a transition from recommendations to expected standards.
The report also states that a vendor's memory security roadmap should prioritize a remediation approach to vulnerabilities in code components responsible for memory security (for example, code that interacts with the network or code that performs critical functions such as cryptographic operations). .
“Manufacturers must demonstrate that the memory security roadmap will result in a significant and prioritized reduction of memory security vulnerabilities in the manufacturer's products, and demonstrate that they are making reasonable efforts to comply with the memory security roadmap,” it states. in the report.
“There are two good reasons why companies continue to support large-scale COBOL and Fortran code. There are costs and risks,” Shimmin told The New Stack. “Migrating millions of lines of code is simply not financially feasible, and no responsible organization would take that risk.”
However, according to the report, critical infrastructure continues to suffer from “exceptionally high-risk” practices, such as:
Default passwords.
Direct SQL injection vulnerabilities
Lack of basic intrusion detection
No multi-factor authentication
Open source
Regarding open source software, the report states that special attention should be paid to vulnerabilities in open source software. Other recommendations include:
Companies must maintain software specifications (SBOMs).
You want to cache dependencies rather than fetch them from publicly available sources.
The open source projects on which they depend must be taken responsibly.
“Software producers must consume responsibly and make sustainable contributions to the open source software they depend on,” the report says.
The report also calls for greater transparency, saying that:
Companies should publish vulnerability disclosure policies.
It is required to issue a CVE for all critical vulnerabilities.
Must provide clear documentation of security issues.
Security logs are expected to be retained for six months.
This is good
Finally, it's good that CISA is recommending that companies with mission-critical software have a clear plan in place in the event of an attack by early 2026, Shimmin said. This is good because the industry will have more time to find better ways to secure our critical software assets,” he said.
“These remedies will likely come from hardware manufacturers supporting (?) potential attack vectors, and programming language developers offering things like the Safe C++ proposal) which requires the creation of a superset for C++ that addresses security concerns memory without forcing the main code to be rewritten,” he said.
Paper tiger?
“CISA places restrictions on insecure applications written in C/C++ or assembly language. With less than 15 months left until the deadline, users and vendors will be forced to comply as many mission-critical government systems still use C/C++,” Holger Mueller, an analyst at Constellation Research, told The New Stack. “Now everyone will be watching suppliers and developers to see if they can meet this deadline. We will see in a few months whether this CISA order is a paper tiger, a toothy tiger, or largely consistent with the standard rules. Time will show”.
Transition to memory safety
According to Tim McNamara, founder of Accelerant.dev and author of Rust in Action, companies are definitely looking to build more secure software. The industry is moving away from unsafe practices, which is a healthy shift.
“However, there are still enough loopholes in the document to maintain the status quo,” McNamara told The New Stack. — It seems that the authors are clearly afraid of exceeding their authority. Please note that the text uses terms such as “strongly recommend,” “shall,” and “reasonable efforts.”
Additionally, the document's requirements are also fairly lenient, McNamara said. New software must be written in a memory-safe programming language. Software makers with current products are being asked to develop a “memory-safe roadmap” by 2025.
“This roadmap is the manufacturer's plan to reduce memory security bugs over time,” McNamara said. — There are also important exceptions. Roadmaps are not required for products that have an end-of-life date of 2030, despite many programs running much longer than expected.”
McNamara noted that in 2007, MITER published a report called “Unforgivable Vulnerabilities,” which prioritized memory security. However, these errors are not considered negligence in software development. “I don’t see any other areas where it is acceptable not to apply known solutions to serious security problems,” he said.
Still, “it will be interesting to see how the industry responds to the invitation to comment, especially since there will be an election in between,” McNamara said. “Let’s hope the concerns don’t escalate into political disputes.”
CISA has opened a public comment period on its guidance until December 16, 2024. Please visit the Federal Register to leave comments.
