The Cybersecurity Coalition submitted comments in response to the Office of the National Cyber Director (ONCD) Request for Information (RFI) on Open-Source Software Security: Areas of Long-Term Focus and Prioritization. Our response focuses on fostering the adoption of memory safe programming languages within open-source software.

The Coalition recognizes the value of memory safe programming languages for enhancing open-source software security, but caution that mandating the complete rewriting of existing code presents significant complexities and may do more security harm than good, especially in the short term. A more practical approach would prioritize memory safe languages for new projects while offering safe harbor for legacy code.

It's important to remember that memory safe languages are just one piece of the security puzzle. To truly bolster open-source software resilience, a holistic approach is needed, aligned with the National Cyber Strategy. By emphasizing secure build environments, robust architectures, and zero trust strategies, we can fortify the security of all critical software - ensuring a safer digital ecosystem for everyone. Our comments go into five specific themes.

Open-Source Tools and Frameworks

Commercially available and open-source tools both play a crucial role in enhancing the overall security of open-source software. Our comments point to examples like the Open Web Application Security Project (OWASP) dependency check tool, which identifies project dependencies and checks for known open-source vulnerabilities. Regular testing of open-source components and dependencies, maintaining strict security rules and standards, and using software bills of materials (SBOMs) can all contribute to application security. Additionally, implementing a secure development lifecycle (SDL) can reduce risk throughout a product’s lifecycle, ensuring development, compilation, and deployment. Combining these strategies with secure architectures and a zero trust approach can all help protect against data exploitation.

Rewriting Memory Unsafe Code / Encourage Memory Safe in New Products

The Coalition opposes mandating the rewriting of existing products of libraries in memory safe programming languages as it is a complex process that poses potential drawbacks. While memory safe languages are preferred for new projects, transitioning from memory unsafe code can be resource-intensive, risk-prone, and disruptive, potentially degrading product performance. We suggest a risk-based evaluation, considering downtime and performance impacts and emphasize that cybersecurity best practices like multifactor authentication and encryption may be more beneficial than transitioning to memory safe languages for some products and services. ONCD should also consider a safe harbor for existing memory unsafe languages to encourage their use in new products and libraries.

Avoid Specific Controls

The Coalition also cautions against mandating certain controls or specific memory safe languages. Technology is always evolving, and what may be considered best-in-class today could change tomorrow. Instead, requiring ‘adherence to security best practices’ or referring to standards or frameworks that are more regularly updated is preferred. This method avoids creating a compliance checklist and prioritizes security performance.

Funding

To support the open-source software community and encourage memory safe language adoption, the U.S. government should consider partnering with third-party organizations to provide grants for high-impact projects. A successful model is exemplified by the Open Technology Fund (OTF), an independent non-profit funded through the U.S. Agency for Global Media. OTF’s inclusion of subject matter experts in project selection and guidance has proven effective, and a similar approach could be employed to secure open-source programming languages by partnering with experts knowledgeable about the transition to memory safe languages.