CISA and NSA Champion Memory Safe Languages for Enhanced Software Security

Washington D.C. - In a significant move to bolster software security and resilience against cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued joint guidance urging the adoption of memory-safe programming languages. This recommendation aims to address the persistent and critical threat of memory-related vulnerabilities, which have long been a primary vector for cyberattacks.

The joint Cybersecurity Information Sheet (CSI) titled, "Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development," underscores the necessity of building security into the foundation of software. The agencies argue that by transitioning to memory-safe languages (MSLs), organizations can eliminate entire classes of vulnerabilities, such as buffer overflows and use-after-free errors, before software is ever deployed.

The Pervasive Threat of Memory Vulnerabilities

Memory-related flaws in software, often found in languages like C and C++, have been the root cause of numerous high-profile security incidents and data breaches. These vulnerabilities can lead to system crashes, data corruption, and unauthorized remote code execution, providing attackers with a gateway into sensitive systems and critical infrastructure. According to some studies, memory safety bugs account for a staggering 66% to 75% of all Common Vulnerabilities and Exposures (CVEs) on major platforms.

The traditional approach of relying on developer discipline, code scanning tools, and patching to mitigate these risks has proven insufficient to combat the scale of the problem. The CISA and NSA guidance, therefore, represents a strategic shift towards a "Secure by Design" approach, where security is an intrinsic property of the software development process.

The Solution: Memory-Safe Languages

Memory-safe languages, such as Rust, Go, Java, Python, and Swift, incorporate built-in mechanisms to manage memory automatically and safely. Features like bounds checking, garbage collection, and strict memory rules prevent common coding errors that can lead to security flaws. By enforcing these rules at compile time or runtime, MSLs shift the burden of memory management from the developer to the language itself, significantly reducing the likelihood of introducing vulnerabilities.

The agencies highlight the success of Google's Android platform as a compelling case study. After a strategic shift to using Rust and Java for new components, the percentage of memory-related security vulnerabilities in Android dropped from 76% in 2019 to 24% in 2024. This demonstrates the profound impact that adopting MSLs can have on improving software security, even in large and complex codebases.

A Phased Approach to Adoption

Recognizing that a complete rewrite of legacy codebases is often impractical, the CISA and NSA advocate for a phased modernization strategy. They recommend that organizations begin by using MSLs for new projects and for an incremental rewrite of high-risk components, particularly those that are internet-facing or handle sensitive data. This approach allows for a gradual and manageable transition, leveraging the interoperability of MSLs with existing code.

The guidance also acknowledges that in some cases, adopting an MSL may not be immediately feasible. In such scenarios, it provides recommendations for making non-memory-safe languages safer through the use of available tools and secure coding practices.

The Broader Impact

Beyond the immediate security benefits, the adoption of memory-safe languages can also lead to more stable and reliable software. By preventing common bugs that cause crashes and errors, MSLs can improve developer productivity, reduce debugging time, and lower long-term maintenance costs.

This push for memory safety is aligned with broader federal efforts to enhance cybersecurity, including the principles of the NIST Secure Software Development Framework (SSDF). As regulatory and supply chain expectations for software security continue to evolve, organizations that proactively adopt MSLs will be better positioned to meet future compliance mandates and demonstrate due diligence.

The joint guidance from CISA and the NSA sends a clear message to the software industry: the future of secure software development lies in building security in from the start, and the adoption of memory-safe languages is a critical step in that direction.