Blog
Total news: 2
White House urges adoption of memory-safe programming languages
The White House Office of the National Cyber Director (ONCD) has released a new report today urging the technology industry to take steps to reduce vulnerabilities in software that leave digital systems open to cyberattacks. The report, titled “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” emphasises the importance of technology manufacturers adopting memory-safe programming languages to prevent entire classes of vulnerabilities from entering the digital ecosystem. “We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory-safe programming languages,” said National Cyber Director Harry Coker. The report – which is a result of collaboration between the ONCD team, the technical community, and public and private sector partners – outlines the threat and opportunity available in moving towards a future where software is memory-safe and secure by design. “The Office of the National Cyber Director has written what will become mandatory reading for the entire technical community as it works towards maximising the security of our shared digital ecosystem,” says Shyam Sankar, CTO at Palantir. “By taking an engineering-first approach to cybersecurity policy, the White House is providing an actionable roadmap for reducing memory safe vulnerabilities and improving software measurement capabilities — both of which are necessary to ensure that all software innovators are doing their part to defend against daily cyber threats to US national security.” The ONCD is also encouraging the research community to address the problem of software measurability in order to develop better diagnostics that measure cybersecurity quality. By adopting an engineering-forward approach to policymaking, the ONCD is ensuring that the technical community’s expertise is reflected in how the Federal Government approaches these problems. “It is impressive to see the White House take on the important topic of software security via the use of better programming languages. Memory safety bugs have led to numerous vulnerabilities in real-world systems,” comments Dan Boneh, Professor of Computer Science, Stanford University, “Software quality would be greatly improved if we could somehow wave a magic wand and have all existing software translated to a memory-safe language. Unfortunately, such a magic wand does not yet exist.” Assistant National Cyber Director for Technology Security, Anjana Rajan, highlighted that some of the most infamous cyber events in history – such as the Morris worm of 1988 and the Heartbleed vulnerability in 2014 – were caused by memory safety vulnerabilities. “For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way,” says Rajan, Assistant National Cyber Director for Technology Security. “This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume—and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and, ultimately, the nation.” The ONCD has engaged with a diverse group of stakeholders, rallying them to join the Administration’s effort. “This new technical report takes a positive step forward on a critical issue—the need for foundational safeguards against the root cause of many vulnerabilities across the software supply chain,” comments Mark Danberg, Chairman and CEO of Viasat. “Addressing vulnerabilities across systems and infrastructure, and ensuring resilient and diverse connectivity options are vital to national security interests.” The report aligns with two major themes of the President’s National Cybersecurity Strategy released nearly one year ago, which aims to shift the responsibility of cybersecurity away from individuals and small businesses and onto large organisations like technology companies and the Federal Government that are more capable of managing the ever-evolving threat. This latest work also complements interest from Congress on this topic, including efforts from the US Senate and House Appropriations Committees and legislative efforts from the US Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-MI) and US Senator Ron Wyden (D-OR). “Internet security problems are global problems, and solving them will require engagement from our nation’s leaders. I commend the Office of the National Cyber Director for taking the important first step beyond high-level policy, translating these ideas into calls-to-action the technical and business communities can understand,” says Jeff Moss, President of DEFCON and Black Hat. “I endorse the recommendation to adopt memory-safe programming languages across the ecosystem because doing so can eliminate whole categories of vulnerabilities that we have been putting band-aids on for the past thirty years.”
Date: 2024-02-27
Category: News
GitHub enables secret scanning push protection by default
In response to the alarming trend of API keys, tokens, and other confidential data being inadvertently exposed, GitHub has taken further steps to fortify its platform against potential breaches. Within the first two months of 2024, GitHub has uncovered one million leaked secrets across public repositories, averaging over a dozen incidents per minute. Such alarming figures underscore the pressing need for robust safeguards to protect users and their data. Since August last year, GitHub has offered users the option to opt-in to secret scanning push protection—a feature designed to automatically intercept and block commits upon the detection of sensitive information. Building on this initiative, GitHub has now made secret scanning push protection mandatory for all pushes to public repositories. The recent rollout of push protection marks a significant stride towards bolstering the security posture of GitHub’s vast user base. Under this new framework, users will be presented with the option to either remove the detected secret from their commits or, if deemed safe, bypass the block. While the transition to this enhanced security protocol may take a week or two to apply universally, users can proactively verify the status and opt-in early through the code security and analysis settings. Acknowledging the potential ramifications of leaked secrets, GitHub underscores the importance of safeguarding not only private repositories but also public ones, which are integral to the open-source community. With over 95 percent of pushes to private repositories already being scanned by GitHub Advanced Security customers, extending push protection to public repositories reflects a commitment to upholding the integrity and security of the entire GitHub ecosystem. Despite the implementation of push protection, GitHub affirms users’ autonomy in managing their security preferences. While the default setting is to enable push protection, users retain the flexibility to bypass the block or disable push protection entirely through their user security settings. However, GitHub strongly advises against disabling push protection outright—advocating instead for a judicious approach where exceptions are made on a case-by-case basis. For organisations leveraging the GitHub Enterprise plan, additional security features – including GitHub Advanced Security – are available to fortify private repositories against potential breaches. This comprehensive DevSecOps platform solution encompasses secret scanning, code scanning, AI-powered autofix code suggestions, and other static application security (SAST) features. GitHub’s secret-scanning technology encompasses over 200 token types and patterns from more than 180 service providers; boasting industry-leading precision and minimising false positives. By leveraging the collective efforts of the community, GitHub aims to prevent the inadvertent exposure of sensitive information on public repositories. Earlier this week, research from Apiiro found that over 100,000 repositories on GitHub are infected with malicious code. The platform has been grappling with an ongoing “repo confusion” attack, where thousands of repositories flooded with obfuscated malware have targeted the platform. These attacks are part of a larger malware distribution campaign, reminiscent of tactics disclosed by Phylum last year. The campaign relies on deceptive Python packages hosted on cloned repositories to disseminate a malicious payload known as BlackCap Grabber. GitHub’s rollout of automatic push protection serves as a critical defence mechanism against such nefarious activities, providing users with enhanced visibility and control over their repositories’ security.
Date: 2024-03-01
Category: News