It appears to be coding in Python and is not directly related to the main text. (Photo = Korea Tektronix)
[애플경제 전윤미 기자] The U.S. White House is attracting attention once again by actively encouraging the use of Python, Java, and C#. The White House recommended on the 5th, “For cybersecurity, use the most secure programming languages such as Python, Java, and C# to reduce vulnerabilities and promote standardized creation for software security.” The White House has acknowledged that these languages, which are at the top of the TOB Index, such as Python, Java, and C#, are the most advanced defense shield for cybersecurity.
Announces assessment of all languages for computing security
The White House, which recently published a report containing this content, recommended three representative languages, saying, “The root cause of cyber attacks is vulnerabilities in computing security.” Through this, it was specifically requested to implement a ‘memory-safe programming language’ and develop new indicators for measuring hardware security.
According to foreign media such as ‘Tech Republic’ and Digitimes on the 6th, this report titled ‘Back to basic components: the path toward secure and measurable software’ was published by the US government regarding hardware and software security from the design stage. It is intended to communicate priorities to IT experts and business leaders. The report also proposes a variety of cybersecurity methodologies, including ‘advice’ and ‘loose guidance’.
The report also warned, “Even if all known vulnerabilities are fixed, undiscovered vulnerabilities will remain prevalent throughout the software ecosystem, creating additional risks,” and added, “A ‘proactive approach’ focused on eliminating entire classes of vulnerabilities is necessary.” “It’s important,” he emphasized.
In other words, it “provides a predictable system that reduces potential vulnerabilities, produces more reliable code, reduces downtime, and more.”
The report also pointed out that although ‘memory security vulnerabilities’ have existed for the past 35 years, no clear solution has yet been found. He also emphasized, “There is no ‘panacea’ for all cybersecurity issues, but using a programming language with built-in memory safety features can significantly reduce the types of possible cyber attacks.”
Request to “build new products and write functions in safe language”
However, the White House ONCD (Office of the National Cyber Director) drew attention by comparing C and C++, which are also very widely used programming languages, but said they are “not memory-safe.” In particular, regarding Rust, which has recently been widely distributed, it was assumed that “although it is a memory-safe programming language, it has not been proven in the type of aerospace system where the government wants special security.”
ONCD also said, “Software and hardware manufacturers are the most relevant stakeholders responsible for creating memory-safe hardware,” adding, “As such, they will need to create new products or rewrite critical functions or libraries in memory-safe programming languages.” I ordered.
Previously, in April 2023, the U.S. National Security Agency (NSA) evaluated and announced the most secure programming language through a report. According to this, Python, Java, and C# were selected as the safest languages. Following them, Go, Delphi/Object Pascal, Swift, Ruby, Rust, and Ada were evaluated as memory-safe programming languages.
This White House report goes one step further and suggests that “it is important to develop ‘empirical indicators’ to measure the cybersecurity quality of software.” However, in reality, it is pointed out that this is a more difficult task than using only a memory-safe programming language. Therefore, creating important indicators or tools to measure and evaluate software security has remained an unfinished task for the past several decades.
Industry “I sympathize, but there are many restrictions on using only safe language”
The industry generally agrees with this, but maintains that there are many practical limitations. “Enterprises have a long way to go to reduce their attack surface in the ways suggested in the ONCD report,” said Paul Furtado, Gartner vice president.
“There is some level of technical security risk lurking in every environment and application, as even internally developed applications rely on native code libraries,” he said. “Until those technical security risks are addressed across the entire technology chain, the attack surface remains small.” “Even if we start to reduce it, the fundamental risk will still remain,” he said.
He added, “It will take years for companies and organizations to address all remaining technical security risks that are still vulnerable to exploitation.”
