Better software security this way comes

Print Friendly, PDF & Email

A massive transition in the way software is developed is now underway that cybersecurity professionals have a vested interest in accelerating. There are fundamentally two major security issues that arise because of the way software is developed.

The first is the use of C, C++, and assembly as the programming languages used to build applications are not memory safe. As a result, it becomes possible to access data in memory because there is no mechanism to prevent it whenever another application accesses the same memory.

While that may not seem like a pivotal security issue, it turns out access memory overflows is fairly common. A massive percentage of the vulnerabilities disclosed in the last decade have involved memory safety issues. More modern programming languages such as Rust, Go, C#, Java, Swift, Python, and JavaScript. The National Security Agency (NSA) has even now gone so far as to issue a set of guidelines that explains to developers why should be using memory-safe programming languages.

The second major software security issue of the day concerns how applications are constructed. The current predominant method for building software relies on the aggregation of software components that tend to lack distinct boundaries between them. The cybersecurity issue that gets created is it becomes relatively simple for malware to infect all the components of an application. This is why so many cybercriminals these days are so intent on trying to compromise software supply chains. Malware inserted into, for example, an upstream open-source software component can over time be easily propagated across thousands of applications.

A portable binary instruction format known as WebAssembly (Wasm) is now being advanced to  C++construct software in a memory-safe, sandboxed execution environment. The World Wide Web Consortium (W3C) drove the initial development of WASM as part of an effort to create a common format for browsers executing JavaScript code. Wasm is now being extended beyond browsers and JavaScript to enable developers to create a set of secure universal binaries that could work on any platform without modification.

Naturally, it may take a while for Wasm to gain traction and for applications written in C, C++, and assembly to be replaced by applications that don’t have nearly as many vulnerabilities. However, cybersecurity professionals can play a pivotal role in accelerating that process first by identifying applications written in older programming languages running in production environments and then encouraging developers to start becoming more familiar with Wasm. There is still work to be done to make Wasm more easily accessible to the average developer but by the time a development team completes an application they start building now a wide range of platforms for running these applications should be generally available next year.

The current software security mess that the IT industry finds itself in is not a hole that was dug overnight. It will take years of effort to move beyond it. In the meantime, cybersecurity professionals should take some comfort in the fact that software developers are not just owning up to these issues but are now also doing something meaningful to address them that goes well beyond creating another patch that needs to be deployed whenever someone has the time to install it.

Of course, there will always be no shortage of cybersecurity issues that need to be addressed. However, it’s apparent that as software development continues to evolve, the IT industry as well may soon stop being its own worst enemy.

Scroll to top