The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) published on Tuesday a joint cybersecurity information sheet underscoring the urgent need to adopt memory safe programming languages to strengthen software security and reduce vulnerability risks. Memory safety is fundamental to secure software development and must be part of any comprehensive cybersecurity strategy. Shifting to memory safe languages offers a direct path to reducing exploitable flaws and improving overall software resilience.
Titled ‘Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development,’ the new guidance stresses that improving national cybersecurity requires more than developer discipline or coding best practices. To effectively reduce memory-related vulnerabilities, organizations must adopt programming languages that offer built-in protections, along with strong library support, tooling, and developer training.
To strengthen national cybersecurity and reduce memory vulnerabilities, software producers, especially those for National Security Systems (NSS) and critical infrastructure, should utilize this guidance to plan for and begin using memory safe languages for their software systems.
While decades of experience with non-memory safe languages show that secure coding standards and static analysis can help mitigate risks, they cannot eliminate memory safety flaws as effectively as the protections built into memory safe languages. These languages shift the burden of safety from individual developers to the language and development environment itself. By embedding safeguards at the language level, they improve security outcomes and reduce reliance on after-the-fact detection tools.
However, adoption is not without challenges. Choosing the right memory safe language depends on factors like performance needs and concurrency, which can be especially complex in large or legacy codebases. In many cases, immediate adoption may not be practical, and organizations may need to invest in refactoring, training, and tooling to fully benefit from the shift to memory safe development.
Memory safety vulnerabilities like buffer overflows have plagued software systems for decades. Incidents such as Heartbleed and BadAlloc highlight the severe consequences of poor memory management. Heartbleed compromised more than 800,000 of the most visited websites and exposed millions of sensitive personal records, including hospital patient data. BadAlloc impacted embedded devices, industrial control systems, and over 195 million vehicles, underscoring how memory flaws can pose direct threats to national security and critical infrastructure.
These examples make clear the need for stronger solutions. Memory safe languages such as Ada, C#, Delphi/Object Pascal, Go, Java, Python, Ruby, Rust, and Swift offer built-in protections that eliminate entire classes of vulnerabilities, including buffer overflows, dangling pointers, and many others tracked in the Common Weakness Enumeration (CWE). Unlike traditional languages that rely heavily on developer discipline for safe memory handling, They embed memory safety mechanisms at the language level, making them more secure by design and a strategic choice for building resilient, modern software.
The importance of memory safety is backed by hard data. A 2019 study found that 66 percent of CVEs in iOS 12 and 71 percent in macOS Mojave were linked to memory safety issues. The impact of these vulnerabilities can be severe, leading to data breaches, system crashes, and widespread operational disruption. Google Project Zero’s review of real-world exploits showed that 75 percent of CVEs used in active attacks were memory safety flaws. Of the 58 zero-day vulnerabilities discovered in the wild in 2021, 67 percent fell into this category.
The CISA and NSA flag these figures underscore why adopting memory safe languages is seen as a foundational step toward improving software security. By eliminating entire classes of vulnerabilities by default, memory safe languages support CISA’s ‘Secure by Design’ principles and reduce the risk of high-cost security incidents.
Memory safe languages incorporate built-in mechanisms, such as bounds checking, memory management, and data race prevention, to guard against various memory bugs and vulnerabilities. Without these safeguards, such weaknesses could be exploited by malicious actors. By embedding these safety features directly at the language level, memory safe languages prevent memory safety issues from the outset.
The authoring agencies urge organizations to consider whether adopting memory safe languages is practical for their circumstances, and provide adoption approaches and engineering considerations to ensure effective implementation of memory safe languages into their software. Memory safe language adoption does not require existing code to be completely rewritten, and the report provides guidance to leverage interoperability to integrate with existing codebases. Further, the report also details ways non-memory safe languages can be made safer in cases where adopting a memory safe language is not practically feasible.
Memory vulnerabilities pose serious risks to national security and critical infrastructure. memory safe languages offer the most comprehensive mitigation against this pervasive and dangerous class of vulnerability. Adopting memory safe languages can accelerate modern software development and enhance security by eliminating these vulnerabilities at their root. Strategic memory safe language adoption is an investment in a secure software future. By defining memory safety roadmaps and leading the adoption of best practices, organizations can significantly improve software resilience and help ensure a safer digital landscape.
