The Cybersecurity and Infrastructure Security Agency and the FBI are calling on manufacturers to take steps to prevent buffer overflow vulnerabilities from being introduced into their products.
Persistent Security Issue
The agencies said in a Secure by Design Alert issued Wednesday that buffer overflow vulnerabilities are a common and well-documented kind of memory safety software design defect that can lead to system compromise. Despite the availability of proven mitigation measures, manufacturers continue to use unsafe software development practices, resulting in the persistence of buffer overflow vulnerabilities.
Effective Mitigation Measures
The alert documents mitigation measures that CISA has deemed most effective and feasible. These include the use of memory-safe languages when developing software, conducting aggressive adversarial product testing and the publication of a memory-safety roadmap detailing how the manufacturer plans to develop new products with memory-safe languages and migrate code to memory-safe languages. It was recommended that manufacturers put the measures into effect.
Role of the Customer
CISA and the FBI are also calling on customers to help ensure that manufacturers adhere to safe software development practices. According to the two agencies, customers can help by asking manufacturers to provide a software bill of materials and a secure software development attestation.
