FORT MEADE, Md. - The National Security Agency (NSA) joins Cybersecurity and Infrastructure Security Agency (CISA) and U.S. and international partners in releasing ”The Case for Memory Safe Roadmaps” Cybersecurity Information Sheet (CSI). Expanding on the “Software Memory Safety” CSI published by NSA in April 2023, the report provides guidance for software manufacturers and technology providers to create roadmaps tailored to eliminate memory safety vulnerabilities from their products.
Memory safety vulnerabilities are coding errors affecting software’s memory management code in which memory can be accessed, written, allocated, or deallocated in unintended ways. Types of memory-related coding errors mentioned in the CSI include buffer overflow, use after free, use of uninitialized memory, and double free. Exploiting these vulnerabilities could allow malicious actors to access or corrupt data, or run arbitrary malicious code with the same privilege as the system owner.
“Memory safety vulnerabilities affect software development across all industries,” said Neal Ziring, Technical Director of NSA Cybersecurity Directorate. “Working together to set clear goals and timelines in transition roadmaps to safer programming language is critical for mitigating these problems.”
In a shared conclusion, the co-authoring agencies recommend software manufacturers create roadmaps for the utilization of, and transition to, memory safe programming languages. This transition will enable memory safe programming languages to mitigate memory-related vulnerabilities and reduce the products' attack surface. Recommended memory safe programming languages mentioned in the CSI include C#, Go, Java, Python, Rust, and Swift. Software manufacturers should evaluate multiple memory safe programming languages before integrating them into their workflows.
The CSI includes technical and non-technical factors for software manufacturers to consider when developing their roadmap. These include picking a memory safe language, staff capabilities and resourcing, and prioritization guidance. Additional guidance includes elements that should be part of the roadmaps, including the following: defined phases with dates and outcomes, dates for memory safe programming languages in new systems, internal developer training and integration plans, external dependency plans, transparency plans, and CVE support program plans.
The authoring agencies urge software manufacturers to create and publish memory safe roadmaps to plan and communicate how memory safety vulnerabilities will be mitigated in their products.
The authoring agencies include CISA, NSA, the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK). The agencies jointly developed this report as part of their Secure by Design campaign to urge software manufacturers to prioritize design and implementation practices to reduce customer risk by using memory safe languages in their products.
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations
MediaRelations@nsa.gov
443-634-0721