Secure by Design: Building a Safer Future Through Memory Safety

Posted on September 14, 2024
Author: RunSafe Security

 


The software industry faces a persistent challenge: how to address memory safety vulnerabilities, one of the most common and exploited flaws in modern systems. Memory safety vulnerabilities expose systems to remote control, data breaches, and disruptions, often with devastating consequences. In response, Secure by Design principles offer a forward-thinking solution to the challenge by embedding security into the foundation of software development.

In a recent webinar hosted by RunSafe Security, industry experts Doug Britton, EVP and Chief Strategy Officer at RunSafe, and Shane Fry, Chief Technology Officer at RunSafe, provided insights into the critical role that Secure by Design can play in mitigating these vulnerabilities. 

Here are the key takeaways from their discussion and how RunSafe’s approach supports a proactive cybersecurity model.

Access the full webinar discussion on memory safety here.

Memory Safety: A Persistent Threat

Memory safety vulnerabilities are among the oldest and most widespread issues in software development. Doug Britton emphasized how these vulnerabilities, despite being known for decades, persist in many codebases and continue to be exploited by attackers.

“The classic memory safety issues are among the oldest and most insidious in software,” Doug explained. “We’ve known about them for decades, but they persist, and attackers continue to exploit them.”

According to Jack Cable, senior technical advisor at CISA, two-thirds of vulnerabilities in compiled code are related to memory safety. Attackers frequently weaponize these flaws, leading to widespread breaches and disruptions. Even advanced testing tools and compilers often fail to detect all vulnerabilities, leaving organizations exposed. These vulnerabilities include buffer overflows, which Doug and Shane referenced as a common point of exploitation.

What Is Secure by Design?

Secure by Design is an approach to software development that prioritizes security from the very beginning. Rather than bolting on security measures after the fact, Secure by Design integrates security into every stage of the development lifecycle. The method aims to reduce the likelihood of vulnerabilities by making security an inherent part of the system architecture.

In the case of memory safety, this often involves transitioning to memory-safe languages like Rust and Go, which can drastically reduce the risk of memory-related bugs. However, as Doug noted, transitioning entire codebases to these languages is not a quick fix. “Most vendors we’ve spoken to have said it’s going to take them at least eight years to get a significant portion of their code running in memory-safe languages,” he shared.

This timeline introduces a significant challenge: organizations cannot afford to wait for years while attackers continue to exploit existing vulnerabilities. Immediate solutions are needed to bridge the gap.

RunSafe’s Contribution to Secure by Design

RunSafe Security provides a practical, scalable solution to address memory safety vulnerabilities while organizations work toward the long-term goal of transitioning to memory-safe languages. Instead of requiring developers to rewrite their entire codebase, RunSafe’s technology mitigates vulnerabilities without changing a single line of code.

As Shane Fry explained, RunSafe’s approach focuses on randomizing code layouts in memory. This method prevents attackers from predicting where code is located, making it significantly harder to exploit memory vulnerabilities such as buffer overflows.

“What we do is randomize where the code is in memory,” Shane said. “Even if an attacker finds a buffer overflow, they won’t know where to point the processor to execute their malicious code because everything has been randomized.”

This process, known as Moving Target Defense, effectively protects against both known and unknown vulnerabilities at runtime. RunSafe’s solution can be integrated in as little as 30 minutes, making it accessible for organizations of all sizes without disrupting development workflows.

Challenges in Adopting Secure by Design

Despite its clear benefits, adopting Secure by Design principles is not without its challenges. One of the most significant barriers is the transition to memory-safe languages. As Doug and Shane discussed, this process is resource-intensive and requires specialized expertise, which many organizations do not yet possess.

“To implement Rust or Go, developers need to learn these languages, and that takes time,” Doug pointed out. “It’s not as simple as downloading a module and instantly knowing Rust. It’s going to take an equivalent amount of time and effort as it took to build the original C and C++ codebases.”

Additionally, there are significant economic barriers to rewriting code, especially in industries reliant on legacy systems. Shane highlighted that while Secure by Design offers a path toward a safer future, organizations need interim solutions to protect themselves in the present.

This is where RunSafe’s solution becomes invaluable. By randomizing code layout, organizations can protect their existing systems while planning for the long-term transition to memory-safe languages. This hybrid approach allows companies to mitigate immediate risks without requiring massive investments in rewriting code from scratch.

The Benefits of Secure by Design

While Secure by Design requires upfront investment, its long-term benefits make it a critical strategy for organizations looking to build more secure and resilient systems. 

Shane emphasized that acting now is crucial, as attackers won’t wait for organizations to fully transition to memory-safe languages. “The bugs that exist today are going to be exploited tomorrow,” he warned. “It’s essential that we take immediate steps to protect our systems.”

Key advantages include:

  1. Reduced Vulnerabilities: By embedding security into the development process, Secure by Design helps eliminate vulnerabilities before they become exploitable, reducing the need for costly patches later.
  2. Lower Costs: Addressing security during the design phase can significantly reduce the need for emergency updates, saving organizations time and money.
  3. Improved Developer Efficiency: With security integrated from the start, developers can focus on innovation rather than constantly fixing vulnerabilities post-launch.
  4. Increased Customer Trust: Organizations that prioritize Secure by Design demonstrate a commitment to safety, which builds trust among customers, partners, and stakeholders.
  5. Future-Proofing: Secure by Design helps organizations stay ahead of emerging threats, ensuring that their systems are prepared to withstand future cyberattacks.

Building a Resilient Future

Secure by Design principles offer a clear path forward for organizations looking to protect themselves from memory safety vulnerabilities. RunSafe Security provides a critical solution that helps companies bridge the gap between today’s risks and the long-term goal of transitioning to memory-safe languages.

By embracing Secure by Design and leveraging RunSafe’s technology, organizations can build more resilient systems, reduce their exposure to vulnerabilities, and protect their operations from the ever-present threat of cyberattacks.

For a deeper dive into Secure by Design strategies and memory safety solutions, download our full webinar and learn from industry experts Doug Britton and Shane Fry how to protect your codebase and future-proof your organization’s cybersecurity strategy. 

Secure By Design Webinar

 

RunSafe Security’s 2025 Product Security Predictions

RunSafe Security’s 2025 Product Security Predictions

Product security has come a long way since  the early 2000s to the current iterations we’re seeing today. From CISA’s focus on Secure by Design to the growing emphasis on software supply chain security, software manufacturers, software buyers, and regulatory...

read more