Modernizing secure code for the public sector
COMMENTARY | Refactoring legacy applications into modern programming languages yields not only memory-safe applications but typically produces smaller code bases, notably faster runtimes and increased scalability.
The White House recently developed a report and guidance about developing secure and measurable software to support the National Cybersecurity Strategy. It highlights two key themes that will drive progress toward the goals of NCS: the adoption of memory-safe languages and the establishment of accurate cybersecurity quality metrics to improve software measurability.
Memory safety is a property of various programming languages that can help prevent security bugs related to how memory is managed, making it more secure than languages that are not memory-safe. Organizations are well-suited to implement modernization initiatives and the switch to memory-safe programming languages because the foundational elements of cyberattacks are often connected to flaws in legacy programming languages.
By tackling the two biggest steps of modernizing legacy languages and leveraging software measurement, software creators can secure the building blocks of applications and take advantage of more informed decision-making. This, in turn, creates a more secure cyber infrastructure for public sector use.
Transitioning to memory-safe programming languages
The exploitation of memory vulnerabilities in legacy coding languages such as C and C++ dates back 35 years. Now is the time to begin transitioning away to a more secure software development environment.
Those looking for somewhere to start with modernizing legacy code can begin by referencing CISA's Memory Safe Roadmap. Refactoring code can be part of a larger modernization initiative, such as moving a legacy application to the cloud. A real-life example of refactoring code is evidenced by Google Chromium opening the door to Rust to begin moving away from the memory-unsafe C code base.
The benefits are more than just code security. Refactoring legacy applications into modern programming languages yields not only memory-safe applications but typically produces smaller code bases, notably faster runtimes, and increased scalability.
AI can help expedite the process of adopting memory-safe languages. Organizations leveraging AI can accelerate rewriting legacy code while ensuring the quality, maintainability, and functionality of the modernized codebase. It can be leveraged in several ways, including refactoring, testing, and code generation, to take some of the burden off of developers.
Incentivizing secure software development practices
Most cybersecurity experts agree that software measurement takes time and is difficult to standardize, which is further evidenced in ONCD’s Back to the Building Blocks: A Path Toward Secure and Measurable Software technical report.
The report calls software measurability “one of the hardest open research problems to address,” noting that cybersecurity researchers have sought to address it for decades. To standardize a framework for software development measurement, organizations must refine existing metrics to measure software security and efficiency better.
Government agencies should consider incentivizing secure software development by measuring value delivery to show the progress and impact of modernization initiatives. Value stream analytics help develop a cost/return model and identify bottlenecks to help the organization gain better insights as they balance innovation with cybersecurity.
By leveraging these insights, organizations can validate that modernization initiatives are worth prioritizing by using metrics to show the value of the work and time spent refactoring legacy applications into memory-safe programming languages.
Modernization initiatives improve national cybersecurity efforts
The federal government is prioritizing secure software development and memory-safe programming languages to bolster national cybersecurity efforts, but the public sector has a big challenge ahead.
It will be important for developers, software manufacturers, and federal IT leaders to work together to start thinking proactively about modernization initiatives. The sooner we can begin refactoring legacy code into memory-safe programming languages, the sooner we can eliminate an entire class of vulnerabilities and improve our national cyber posture.