Skip to content

33.1: Emerging Technologies for Defense

The supply chain security challenges explored throughout this book exist within a technological context that is itself evolving. Emerging technologies offer promising approaches to some of the most persistent security problems—memory safety vulnerabilities that have plagued software for decades, the impossibility of manually reviewing all code, and the challenge of quickly patching widely-deployed software. Understanding which technologies will meaningfully improve defense, and on what timeline, helps organizations make informed investment decisions rather than chasing hype.

Some of these technologies are mature enough for immediate adoption. Memory-safe languages are production-ready today; the barrier is transition, not technical capability. Others remain research frontiers with uncertain timelines—formal verification of complex systems and truly autonomous vulnerability remediation may be years away from widespread applicability. Still others are advancing rapidly but require careful evaluation—AI-assisted security tools show remarkable capabilities alongside significant limitations. Navigating this landscape requires distinguishing between what's ready now, what's coming soon, and what remains aspirational.

Memory-Safe Languages

Memory safety vulnerabilities—buffer overflows, use-after-free errors, null pointer dereferences—have caused the majority of critical security issues for decades. Microsoft reports that approximately 70% of their security vulnerabilities stem from memory safety issues. Google found similar proportions in Chrome. The solution, long known but slowly adopted, is using programming languages that prevent these errors by design.

Current memory-safe options:

Rust has emerged as the leading memory-safe systems programming language:

  • Zero-cost memory safety through ownership system
  • No garbage collector (suitable for systems programming)
  • Interoperability with C code
  • Growing adoption: Linux kernel, Android, Windows, Firefox
  • Active ecosystem with strong security focus

Go provides memory safety for network services and cloud applications:

  • Garbage-collected memory management
  • Built-in concurrency primitives
  • Strong standard library
  • Widely used in cloud infrastructure (Kubernetes, Docker)
  • Growing adoption for security tooling

Swift offers memory safety for Apple ecosystem:

  • Automatic reference counting
  • Optional types preventing null errors
  • Default safety with explicit unsafety
  • Primary language for iOS/macOS development

Adoption trajectory:

Memory-safe language adoption is accelerating:

  • Google: Rust in Android, Chrome; Go across infrastructure
  • Microsoft: Rust in Windows components, Azure
  • Amazon: Rust in AWS services, Firecracker
  • Linux kernel: Rust support merged in 6.1 (December 2022)
  • NSA/CISA: Explicit guidance recommending memory-safe languages

CISA's December 2023 report "The Case for Memory Safe Roadmaps" recommends that software manufacturers prioritize memory-safe programming languages to eliminate entire categories of memory safety vulnerabilities from their products.

C/C++ transition challenges:

Transitioning from C/C++ faces significant barriers:

  • Existing codebase: Billions of lines of C/C++ in production
  • Expertise: Decades of C/C++ knowledge; Rust expertise still limited
  • Performance concerns: Perceived (often incorrect) performance penalties
  • Toolchain maturity: C/C++ toolchains extremely mature
  • Interoperability overhead: Mixing languages creates complexity

Realistic timeline:

The transition will take decades to complete:

  • Now: New projects can choose memory-safe languages
  • 2025-2030: Major projects incorporate memory-safe components
  • 2030-2040: Critical infrastructure migrates high-risk components
  • 2040+: Legacy C/C++ persists in embedded and specialized contexts

Organizations should adopt memory-safe languages for new development immediately while planning gradual migration of highest-risk existing components.

Formal Verification

Formal verification uses mathematical proof to demonstrate that software behaves according to its specification—not just that tests pass, but that no inputs can cause incorrect behavior. This approach offers the highest assurance level but has historically been limited to small, critical systems.

Current capabilities:

Formal verification has proven effective for:

  • Cryptographic implementations: Verified crypto libraries (HACL*, Fiat-Crypto)
  • Operating system kernels: seL4 microkernel with complete formal verification
  • Compilers: CompCert C compiler proved to preserve program semantics
  • Security protocols: TLA+ and similar tools for protocol verification
  • Smart contracts: Formal verification increasingly common for blockchain code

Verification approaches:

Model checking: - Exhaustive exploration of system states - Effective for protocols and state machines - Limited by state space explosion

Theorem proving: - Interactive proof development with tools like Coq, Isabelle - Can handle infinite state spaces - Requires significant expertise and effort

Automated verification: - Static analysis with formal guarantees - Tools like CBMC, Frama-C - Limited scope but more accessible

Supply chain applications:

Formal verification can address supply chain security through:

  • Verified cryptographic primitives: Ensuring signatures and hashes are correct
  • Verified parsers: Preventing parsing vulnerabilities in data handling
  • Verified build tools: Ensuring build correctness
  • Contract verification: Proving API implementations match specifications

Practical limitations:

Formal verification faces challenges:

  • Specification difficulty: Verifying against wrong specification proves nothing
  • Scale limitations: Full verification of large systems remains infeasible
  • Expertise requirements: Verification specialists are scarce
  • Cost: Verified software typically costs 2-3x more for well-established patterns (such as the seL4 microkernel), though complex full-system verification can exceed 10x; costs are decreasing as tooling matures
  • Environmental assumptions: Verification assumes correct underlying systems

Realistic expectations:

Formal verification will likely remain limited to:

  • Security-critical components (crypto, authentication)
  • High-assurance contexts (aerospace, defense, safety-critical)
  • Specific properties rather than complete correctness
  • Small kernels and core libraries rather than full applications

Most software will continue relying on testing, review, and defense in depth rather than formal proof.

AI-Assisted Vulnerability Detection

Artificial intelligence, particularly large language models, has transformed vulnerability detection capabilities. AI tools can analyze code at scale, identify patterns humans miss, and continuously improve through learning.

Current AI security tools:

Code scanning: - GitHub Copilot and CodeQL with AI-enhanced rules - Snyk Code using ML for vulnerability detection - Amazon CodeGuru for security review - Semgrep with AI-assisted rule generation

Vulnerability discovery: - Google OSS-Fuzz with ML-guided fuzzing - AI-assisted variant analysis finding similar bugs - LLM-based code review assistants

Malware detection: - Package analysis using behavioral ML models - Anomaly detection in dependency updates - Suspicious pattern identification

Capabilities and limitations:

Current capabilities: - Pattern recognition across large codebases - Natural language explanation of vulnerabilities - Code similarity analysis for variant finding - Automated triage and prioritization - Continuous learning from new findings

Significant limitations: - High false positive rates in many contexts - Limited understanding of complex security properties - Vulnerable to adversarial inputs - Training data biases affect findings - Cannot reason about novel vulnerability classes

Supply chain applications:

AI tools increasingly support supply chain security:

  • Dependency analysis: Automated assessment of new dependencies
  • Pull request review: AI-assisted review of changes
  • Package scanning: Detection of malicious packages
  • Vulnerability correlation: Linking CVEs to affected code

Realistic assessment:

AI-assisted security tools are valuable but not transformative yet:

  • Best as augmentation of human review, not replacement
  • Effective for known patterns, weak for novel issues
  • Require validation—can't be trusted blindly
  • Improving rapidly but fundamental limitations remain
  • Most effective when combined with traditional tools

Organizations should adopt AI security tools as one layer of defense while maintaining human oversight and traditional security practices.

Automated Patching and Remediation

The challenge of patching vulnerabilities across large deployments has driven development of automated remediation technologies.

Current capabilities:

Dependency updates: - Dependabot, Renovate automatically update dependencies - PR creation with changelog and compatibility information - Merge automation based on test results - Widespread adoption in modern development

Automated code fixes: - GitHub Copilot suggesting security fixes - CodeQL autofix proposing remediations - IDE plugins offering quick fixes - Limited to well-understood vulnerability patterns

Hot patching: - Runtime patching without restart (ksplice, kpatch) - Primarily for kernel and system components - Limited applicability for application code

Challenges:

Automated patching faces significant challenges:

  • Breaking changes: Updates may change behavior
  • Compatibility: New versions may not work with existing code
  • Testing coverage: Automated tests may not catch regressions
  • Complex dependencies: Changes cascade through dependency graphs
  • Security of automation: Automated systems become attack targets

Emerging approaches:

Research addresses these challenges:

  • Semantic analysis: Understanding whether updates are breaking
  • Automated compatibility testing: Verifying behavior preservation
  • Staged rollout: Gradual deployment with automatic rollback
  • AI-generated patches: LLMs proposing fix code

Realistic expectations:

Automated patching will likely evolve:

  • Now: Automated PR creation, manual review and merge
  • 2025-2027: Increased auto-merge for low-risk updates
  • 2027-2030: AI-assisted fix generation with human approval
  • 2030+: Fully automated patching for well-understood patterns

Full automation remains limited by the need for human judgment on compatibility, performance, and correctness. Organizations should automate where confidence is high while maintaining human oversight for critical systems.

Hardware-Assisted Security

Hardware security features provide defenses that software alone cannot circumvent, offering stronger guarantees for critical operations.

Confidential computing:

Confidential computing protects data and code during processing, not just at rest and in transit:

Key technologies: - Intel SGX: Secure enclaves for code and data isolation - AMD SEV: Encrypted virtual machine memory - ARM TrustZone: Secure world separation - Intel TDX: Trust domain extensions for VM isolation

Supply chain applications: - Secure build environments: Build in enclaves, preventing tampering (see Sigstore) - Key protection: Signing keys protected in hardware - Attestation: Cryptographic proof of execution environment - Secure multi-party computation: Collaboration without revealing inputs

Current state:

Confidential computing is production-ready but not ubiquitous:

  • Major cloud providers offer confidential VMs (Azure, GCP, AWS)
  • Adoption growing for sensitive workloads
  • Performance overhead decreasing with newer hardware
  • Ecosystem tools maturing

Limitations:

Hardware security faces challenges:

  • Side channels: Many attacks bypass hardware protections
  • Trust assumptions: Must trust hardware vendor
  • Complexity: Proper use requires expertise
  • Coverage: Not all workloads suitable for enclaves
  • Attestation verification: Verification infrastructure still developing

Supply chain security potential:

Hardware security can strengthen supply chains:

  • Secure builds: Builds in attested environments provide stronger provenance
  • Key management: Hardware-protected keys resist compromise
  • Runtime protection: Confidential computing protects deployed software
  • Verification infrastructure: Hardware attestation supports trust decisions

Timeline:

Hardware security adoption trajectory:

  • Now: Available in cloud, used for high-security workloads
  • 2025-2027: Broader adoption for security-sensitive applications
  • 2027-2030: Standard feature for critical infrastructure
  • 2030+: Routine for builds, signing, and sensitive operations

Investment Priorities

Organizations should prioritize emerging technology investments based on readiness and impact.

Immediate priorities (now):

  1. Memory-safe languages for new development
  2. Automated dependency updates with human review
  3. AI-assisted code scanning as supplemental tool
  4. Hardware key protection for signing keys

Near-term priorities (2025-2027):

  1. Memory-safe rewrites of high-risk components
  2. Confidential build environments for sensitive software
  3. Expanded automation with staged rollout
  4. Formal verification for cryptographic code

Longer-term priorities (2027+):

  1. Broader formal verification for critical components
  2. Advanced AI remediation with validated automation
  3. Full confidential computing for sensitive workloads
  4. Memory-safe migration of legacy systems

Recommendations

We recommend organizations approach emerging technologies strategically:

For immediate action:

  1. Adopt memory-safe languages for new projects—the technology is mature
  2. Deploy AI security tools as augmentation, not replacement
  3. Enable automated dependency updates with appropriate review processes
  4. Protect signing keys with hardware security modules or secure enclaves

For planning:

  1. Develop memory-safe roadmaps identifying high-risk components for migration
  2. Evaluate confidential computing for builds and sensitive operations
  3. Track formal verification advances for applicability to your context
  4. Build expertise in emerging technologies through training and hiring

For realistic expectations:

  1. Accept gradual timelines—transformation takes years to decades
  2. Layer defenses rather than relying on any single technology
  3. Maintain skepticism about revolutionary claims
  4. Focus on fundamentals while adopting incremental improvements

Emerging technologies will improve supply chain security, but they won't eliminate the need for the practices discussed throughout this book—careful dependency management, verification, monitoring, and response. The technologies that succeed will be those that make existing good practices more effective and more scalable, not those that promise to replace human judgment entirely.