The American Cybersecurity and Infrastructure Security Agency (CISA), a part of the US Department of Internal Security, is urging business and technology managers to prioritize memory safety in software development. In a report titled “Protection of Memory: The Way Forward,” published by the agency, it is highlighted that memory safety errors often lead to serious consequences and need to be eliminated.
Memory safety errors, such as buffer overflow, dangling pointer, type confusion, and use-after-free, can be exploited by attackers to gain control of systems, steal data, or execute malicious code.
CISA, along with the National Security Agency (NSA), FBI, and cybersecurity agencies in Australia, Canada, Great Britain, and New Zealand, is calling for greater adherence to security recommendations during the design stage. These organizations support the initiative.
The agency is urging software manufacturers to pay attention to memory safety by developing and publishing roadmaps to address vulnerabilities in their products. The aim of this public declaration is to showcase accountability to customers regarding security issues.
The issue of memory safety has garnered widespread attention, with reports such as Consumer Reports highlighting public awareness. For example, Microsoft has acknowledged that approximately 70% of its vulnerabilities are related to memory safety errors, and Google has confirmed similar statistics for the Chromium project.
CISA is advising developers to utilize programming languages that ensure memory safety, such as C#, GO, Java, Python, Rust, and Swift.
Bjarne Strautrup, the creator of C++, defends the language, stating that adherence to ISO C++ standards can ensure type and memory safety when using appropriate tools. However, this does not diminish the interest in Rust and other secure languages.
CISA concludes that the most promising approach to eliminating memory safety vulnerabilities lies in the standardization of secure programming languages and the migration of critical software components to these languages.