The announcement by the White House Office this week calling on the technical community to adopt memory safe programming languages and code analysis techniques is a significant and commendable step toward securing the building blocks of our technology systems.
As the leader in helping businesses and developers build secure and reliable software with Clean Code, we applaud the administration’s call for addressing software vulnerabilities at the programming language and source code levels.
The ONCD released report puts a spotlight on one of the most foundational issues that result in insecure software - on average, there is 1 issue found in every 27 lines of code, based on our experience analyzing billions of lines. The report’s recommendations on memory safety, formal methods such as static code analysis and software measurability, will not only mitigate but eliminate broad categories of software vulnerabilities.
Memory safety vulnerabilities and static analysis
Memory safety vulnerabilities are coding errors that affect the software’s memory management code in which memory can be accessed, written, allocated, or deallocated in unintended ways. Common examples include uninitialized memory allocation, buffer overflow, and lack of memory deallocation after use. When memory is not properly managed, attackers can exploit these vulnerabilities and run malicious code to capture critical data and bring down systems.
Memory safe languages such as C#, Java, Python, Go, Rust, and Swift intrinsically prevent software developers from introducing severe bugs that not only impact stability, productivity, and application performance but also lead to memory-related vulnerabilities that can severely impact the security of software.
Using these languages is the first step to eliminating risks. Teams building future software should certainly keep memory safe languages top of mind. However, code written in memory risky languages such as C and C++ is still prevalent and especially needs the extra level of scrutiny to prevent memory safety vulnerabilities from escaping.
Fix code issues as early as possible
Every organization today needs to inspect its software development processes and take immediate, proactive steps to secure its systems. This includes incorporating rigorous analysis methods – code reviews and formal methods like static analysis practices as recommended by the ONCD – along with the enforcement of quality standards into the development workflow for greater assurance of the quality of output.
However, many organizations today are not able to take sufficient steps to mitigate the risk of low-quality software either because they simply aren’t aware of the risks they carry with existing processes, or often are not able to prioritize until deemed necessary. The lack of focus on this fundamental problem exacerbates the risks. As the report states, the responsibility really starts with the board of directors, the CEO, CTO, CIO. There’s no better or more urgent time to prioritize this at the organizational level than today.
We, at Sonar, are committed to helping businesses and developers write and maintain Clean Code. For over 15 years, the company has focused on doing exactly that – investing in R&D to continually improve the breadth, depth, accuracy, and speed of our code analysis products so that the software deployed by our users is reliable, maintainable, and secure. Sonar enables thorough analysis of code with an exhaustive set of 5K+ static analysis rules covering 30+ programming languages. These include memory-safe as well as memory-risky languages. Since Sonar solutions (SonarQube for IDE, SonarQube Server, and SonarQube Cloud) are an integral part of the software development workflow, our users can detect and remedy catastrophic faults (including memory related issues) earlier and during code development, rather than any later in the workflow.
As the complexity and volume of code increases exponentially with the use of AI coding assistants, we at Sonar strongly advocate the Clean as You Code approach to software development that focuses on discovering and remediating issues as a developer writes code, coupled with organization or project level Quality Gates that set standards for the development teams. The secure-by-design practice, which starts with writing high-quality and secure code, fosters a strong level of confidence in the deployed application. On top of this, being able to trace and report findings that the deployed software has followed the best coding practices, is a necessity for auditors and compliance officers of many organizations.
Concluding thoughts
The challenges with insecure software will continue to rise. I commend the administration’s efforts to tackle this complex problem and shine a light on the root causes and solutions. By adopting memory-safe programming languages, Clean Code principles, and continuous code quality analysis to reduce tech debt, organizations can prevent security incidents, reduce risk exposures, and improve the availability of their applications.
Sonar is here to help secure every line of code. Learn more about how you can incorporate clean coding practices in your software development. https://www.sonarsource.com/