The National Security Agency (NSA) and U.S. Cybersecurity and Infrastructure Security Agency (CISA) have published a joint guide, Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development, that identifies the main obstacles in adopting memory safe languages, provides practical solutions to address these challenges, and emphasizes critical factors for organizations aiming to shift towards more secure software development methods.
The document expands on recommendations for critical infrastructure organizations to implement to achieve better memory safety, such as language-level protections, library support, robust tooling, and developer training.
Memory safety vulnerabilities pose serious risks to national security and Critical Infrastructure—adopting memory safe languages (MSLs) like Rust, Go, and Java offer built-in protections against buffer overflows, use-after-free bugs & other vulnerabilities.
Why Memory-Safe Languages Are Important
Reduced Security Vulnerabilities: Memory safety issues are a major source of security vulnerabilities. By using memory-safe languages, developers can significantly reduce the risk of exploits that target memory-related bugs.
Increased Reliability: Memory-safe languages help prevent crashes and unexpected behavior caused by memory errors, leading to more robust and reliable software.
Improved Developer Productivity: Developers can focus on the core logic of their code without constantly worrying about manual memory management, leading to increased productivity and faster development cycles.
Lower Development Costs: While the initial transition to memory-safe languages might involve learning curves, the long-term benefits of reduced debugging time, fewer security patches, and increased reliability can lead to lower overall development costs.
Common Memory Safety Issues
Buffer Overflows: Occur when a program writes data beyond the allocated memory space for a buffer.
Out-of-bounds access: Occurs when a program tries to access a memory location outside the valid range of an array or other data structure
Use-after-free errors: Occur when a program tries to access memory that has already been deallocated.
Dangling pointers: Occur when a pointer points to a memory location that is no longer valid.
Examples of Memory-Safe Languages
Rust: Offers strong memory safety guarantees through its borrow checker and ownership system.
Go: Uses garbage collection to manage memory automatically.
Java: Relies on garbage collection and runtime checks for memory safety.
C#: Uses garbage collection and runtime checks for memory safety.
Python: Uses garbage collection and reference counting to manage memory.
Swift: Combines compile-time checks and runtime checks to enforce memory safety.
Kotlin: Similar to Java, Kotlin uses garbage collection and runtime checks for memory management.
Languages That Are Not Memory-Safe (and thus require more careful coding practices)
C: Relies on manual memory management, making it prone to memory errors if not handled carefully.
C++: Also relies on manual memory management, though it offers more advanced memory management features than C.
Learn More About MSLs In The Joint Cybersecurity Guidance Including:
✅ Benefits of MSLs – enhanced security, increased reliability, improved developer productivity·
✅ Memory Vulnerabilities Explained – buffer overflow, use-after-free, data races, & initialization safety·
✅ Key Features of MSLs – bounds checking, memory management, data race prevention
Take steps to enhance your software resilience and contribute to a safer digital environment for everyone.
Download the complete guide HERE
