Cyber Security: CISA and NSA Recommend Secure Programming Languages

Redazione RHC : 28 June 2025 20:21

The main US cybersecurity agencies, CISA and NSA, have published a joint document recommending that software developers opt for programming languages considered “memory safe”. These languages are designed to provide protection against critical crashes caused by memory management errors, which are one of the most dangerous and frequent types of vulnerabilities.

The document highlights that unauthorized memory access errors continue to be a major threat to both regular users and critical information systems. However, languages such as Rust, Go, C#, Java, Swift, Python and JavaScript mitigate this risk by performing static checks on memory allocation during compilation, significantly reducing the likelihood of vulnerabilities.

The most commonly used systems, such as C and C++, do not include such protection features by default. In theory, developers can minimize the risks by using static code analysis and strictly following secure programming standards. However, in daily practice, not all developers pay enough attention to this aspect.

Although the main program may comply with today’s standards, integrating C or C++ libraries via the Foreign Function Interface (FFI) can pose a security risk. This type of vulnerability is particularly alarming because it could affect projects that initially appear to be completely safe.

The extent of the problem is confirmed by the largest IT companies. According to Google, in 2018, 90% of all critical security flaws in Android were related to incorrect memory usage. In the Chromium browser, according to 2021 data, over 70% of such vulnerabilities were recorded. It was this category that included the infamous Heartbleed bug in the OpenSSL cryptographic library, which allowed attackers to access data outside of the assigned area.

The relatively recent Google Cloud outage, which occurred in June of this year, also turned out to be related to a classic problem: the lack of null pointer checking. This flaw, in practice, causes crashes or creates entry points for attacks in systems where storage controls are not sufficiently rigorous.

So now the giants are rightly increasingly supporting the implementation of secure languages. Back in 2022, Microsoft officially recommended developing new applications on Rust or similar technologies . In 2023, government agencies also joined these initiatives. CISA Director Jen Easterly publicly stated the need for the industry to move to more secure solutions.

The process of adapting, however, is not easy. For the past year, the Linux kernel community has been abuzz with debates about integrating Rust drivers. C and C++ proponents have also proposed alternatives: TrapC, FilC, Mini-C, and Safe C have emerged, all aimed at improving code security without abandoning familiar technologies. At the same time, Google is improving memory protection in C without sacrificing performance.

A recent report jointly released by CISA and NSA highlights that the full adoption of secure programming languagesis a process that requires considerable investment, human resources, and time. Organizations with a large legacy code base or that operate within critical infrastructure may find this transition particularly challenging. Despite the challenges, the benefits associated with adopting such languages, including reducing potential vulnerabilities and improving the overall reliability of the software, make this change not only desirable, but inevitable.

The U.S. government is also promoting its own initiatives to accelerate the process. The DARPA TRACTOR (Translating All C to Rust) program is designed to create automated tools to convert existing C projects to Rust, minimizing manual work. Researchers from Princeton, UC Berkeley, and UC San Diego are developing the Omniglot project, which will ensure that Rust code can interact safely with third-party libraries via FFI.

The government, as CISA and NSA emphasize, does not rely solely on its own programs, but also on collaboration with private companies. One of the strategies envisaged includes incentivizing the creation of jobs that require skills in using secure programming languages, with the aim of increasing the number of highly qualified specialists and speeding up the adoption of new standards.