White House Report on Memory- and Type-Safety
Very interesting report by The White House calling for more secure and better measurable software. The report argues for memory- and type-safe programming languages, formal methods, and more research on software metrology. What I particularly like is that it mentions the human angle:
βthe inherent challenge of software metrology β the science of software measurement β stems from the fact that software is not just a technical construct, but also a form of human expression. Unlike physical engineering products, most software lacks a uniform structure or composition. This heterogeneity in design and architecture renders the definition of cybersecurity quality highly subjective and context-dependent, complicating the establishment of universal metrics.β
In some parts the report is IMHO too absolute. Not all software is equally critical and not all software needs to be developed using formal methods and provable security properties. The point is that decisions on programming languages, libraries, tools, etc. all come with tradeoffs and should hence be done conscientiously and in the best case in an evidence-based manner.