A new Era in Programming
Sat 09 November 2024
CISA & Secure by Design
The CISA released a report along with the FBI on October 16, 2024 outlining certain points in the Secure by Design outline. Secure by Design is a set of guidelines for designing software with security at it's core, instead of more of a secondary thought or "feature". In this standard security in software it looked at as a core concern rather than a feature to be advertised.
This might seem like an obvious concept to have security be a core concept of any software, but it is very time consuming and difficult to write secure, and safe software. Not all software developers put security over pushing features to their software. This is never a good idea, but people do it regardless. There are many ways that software can become compromised. Most of these are human error caused poor coding practices, and lazy development. It's easy to accidentally store sensitive data as plain strings instead of encrypting it, or improperly managing memory and exposing data through memory leaks.
By being selective in the technologies used when creating software one care create software that is secured from the ground up.
Some things to consider when creating software:
- What programming language will the software be written in?
- Who will use the software?
- What will the software do or be responsible for?
- What sort of data is the program working with? I.E. is it sensitive user data?
Now it's important to understand that one of the most important and difficult things to decide when creating software is the programming language. You have to think long and hard about what you program will be doing and where it will be used. Is it an embedded system? Or is it a cloud service? For example a web developer doesn't really need to worry about memory safety because the languages they use don't deal directly with computer memory. However when writing something like an embedded program or an operating system you will probably be using something like C or C++. C has been around since the 70s and C++ almost as long. There were no "memory safe" languages back then, as this is a relatively new concept.
What is memory safety?
When you write a computer program you might tell the computer programmatically that you want to store the number 5 numbers in an array or list, now in C you can access each number in this list, but what if I gave you a grocery list with 5 items on it, you get the five items, and I look for six items. You would be confused, well in C the computer isn't smart enough to be confused and just gives you whatever it's got stored where the alleged 6th item on the grocery list would be. Remember that the memory is shared by other programs, and if a program stored sensitive data at that address then the computer would "leak" this data to you. This is what's called a data leak, and it's one of many pitfalls with coding in C and other older languages that deal directly with memory. When speaking of a memory safe language we are speaking of a language that by design avoid most or all of these pitfalls.
Why is it such a big deal to stop using C/C++?
The C programming language has been around since the early 1970s which in computer terms is since ancient times, it was the turning point in computer programming in it's day when developers used languages that were less human readable and before that they forged their software in literal 0s and 1s. In those times it was the job of the software developer to program proper and secure memory management into their program with little to no help from the computer. Due to the age of C it's the foundation the entire world's software base, it's literally everywhere. Re-writing all of our current software in memory-safe languages is unrealistic. Its better to concentrate on securing the current software and writing any new software in a memory safe language. Because of the issues with C CISA has encouraged software developers to stop using it. This is a huge leap forward, and to some a terrifying change.
What are some memory safe programming languages?
So the CISA has declared that developers should stop using memory unsafe languages like C/C++ so what are the options?
You might be happy to know that he list of memory safe languages is extensive, and the CISA gives a list of their website but here are a few:
I myself am learning Rust, and I'm working on a program called Spacepix and I'm writing it in Rust. Because it's written in Rust, I don't have to worry about these pit falls. There is a downside to all of this, and that is new developers won't know how to fix or avoid these issues if they ever come across them in their journey.
Two factor authentication
Two factor authentication is another technology recommended that developers implement into the security plan of their software. It uses multiple means of identifying the user rather than just an email and password. This can include a PIN, the use of a third party authentication software, or even a USB fingerprint scanner. Like it or not most apps are going to multi or two factor authentication.
The part of open source software
In their report they say "Software manufacturers should responsibly consume and sustainably contribute to the open source software that they depend on." And I agree with this completely, its not the fault of open source software that it has known security issues that haven't been fixed when the project relies on volunteers and charity, if a company wants to use open source software but it doesn't conform to their needs they can contribute either financially or by contributing to it's codebase. Valve's Steam Deck is a great example of this. They could have very well put Windows their Steam Deck, but instead they saved money, and helped a wonderful open source project at the same time. By using Arch Linux as the base for their OS they financially supported this project and avoided expensive service contracts with Microsoft. The most expensive endeavor has been their windows compatibility layer that allows games designed to only run on windows run on Linux, and they very easily could have spent that money on a Windows service contract, but they contributed a MAJOR piece of software to the open source software community and cause.
Anyway back to security, since Valve is using this open source OS valve must ensure that it's safe, and secure and it must contribute to fixed these issues before using the software in a project.
My Two Beans
🫘🫘 Software companies have taken a laid back approach when it comes to security unless pressure is put on from the beginning to be secure. Security is often overlooked in favor of adding more features quicker, and that is a bad approach that can cost time, data, and money. By going with a secured by design approach from the beginning its often easier to implement security into more parts of your software. It's up to the developer to make sure software is secure for the user, its not the responsibly of the user. It takes time, and costs more money to develop software with security in mind, but it's a necessary expense when compared to the alternative. Thank you so much for reading, this was my two beans.
By Mark A Waid Jr, Category: Cyber Security
Tags: technology / computer programming / CISA / IT / computers / software / security / cyber security /
Other articles
AI, Bio Computing, and it's Impacts
Sun 03 November 2024
What are the implications of AI and Bio Computing for our society?