A new level of security called for by the White House and Office of the National Cyber Director
The White House put out a press release yesterday announcing a report from the Office of the National Cyber Director (ONCD) where they make the case that “future software should be memory safe”. That’s music to our ears! We’ve been working towards this goal on our Fastly Compute platform for a long time, so after we’ve completed our long round of applause for the ONCD, we want to show how it’s possible for the tech community to accelerate their plans even further by focusing on today’s software as well. Let’s look at the White House’s statement, and then explain how we can make existing code more memory safe, too! As the White House put it:
“Technology manufacturers can prevent entire classes of vulnerabilities from entering the digital ecosystem by adopting memory safe programming languages.” (Source)
We love this announcement because it’s a huge milestone in the larger movement to create a vastly more secure internet where entire classes of bugs that have haunted software for decades are effectively resolved for millions, or even billions, of users. In the report, the ONCD identifies the programming language as the key building block:
”This report focuses on the programming language as a primary building block, and explores hardware architecture and formal methods as complementary approaches to achieve similar outcomes.” (Source)
That’s great! But it’s just a start. The next necessary step is to improve security and protection for languages without memory safety as well. New memory safe programming languages like Rust are amazing and foundational to this revolution, but we can’t just hope that everything on the internet gets rewritten with exciting new languages — especially when we can improve the security of existing, “unsafe” languages as well.
We can make platforms that are secure by design, like Fastly Compute. Platforms that provide you with a programming environment that is built with memory safe languages, using formal verification techniques to ensure that you can trust in the safety of the platform.
We agree with ONCD that safe languages are great and that's why we're using Rust to build the Fastly platform, and provide SDKs in multiple safe languages like Rust, JavaScript, and Go. We also agree with the ONCD on the use of formal methods and that's why we're using them in crucial parts of our platform, like CraneLift. But what about the billions of lines of code already written and deployed and actively in-use that were written in memory unsafe languages? It's just not practical to tell the world to stop everything and rewrite them all in Rust. There's no silver bullet, but we have been working on a technology that significantly mitigates the danger: WebAssembly.
WebAssembly mitigates the danger in multiple ways. First, through control-flow integrity, due to WebAssembly's protected stack. Second, with fine-grained isolation (e.g., of requests from each other and the Fastly platform) making use of WebAssembly's lightweight sandboxing. And third, we're working on the Component Model, which allows different parts of a single application to be isolated from each other and practice the Principle of Least Authority.
Fastly team members have been pioneering members of the projects pushing for a safer future on the internet, with everything from the creation of the Rust programming language, to the evolution and growth of WebAssembly, to new and safer protocols. We’re always there because we believe in working toward a future where experiences on the internet aren’t just faster, but safer and better for everyone involved.
Best of all, you don’t have to wait for some indefinite future to get started. You can start today, right now, with the power of Fastly’s instant global platform, using Fastly Compute. Now, we can’t say that every problem in memory safety and safer computing has been solved, but the ecosystem is finally far enough along to get started, so it’s time for us all to make the leap.
If you want to know more about how quickly your organization can move toward safety and compliance with the findings in the ONCD’s report, get in touch. We would love to talk to you about making your applications and workloads safe-by-default.
We agree with the White House and the ONCD, but you shouldn’t just make this leap because it sounds good in a press release. You should do it to make your applications more secure, you should do it to protect your organization from all the bugs that come from unprotected memory, and you should especially do it because you’ll be providing a better and safer experience for your end users.
At Fastly, we talk all the time about how we want to make the internet better. Today’s call for an internet of safer software is a big part of that mission that we can all get behind. If that sounds like the kind of security you want or the vision you want to be a part of, come say hello.