The NSA and CISA are calling on developers to embrace programming languages that mitigate memory safety vulnerabilities. Historically, the tech community aimed to address these issues through training and smart tools, but evidence reveals that such measures are insufficient. Computer memory can be likened to a vast array of mailboxes, where information is stored when a program runs. Memory safety bugs occur when a program incorrectly stores data in the wrong location or attempts to access memory not allocated for its use.
Though these errors may seem trivial, they have led to significant security breaches, such as the Heartbleed bug, which compromised data for millions of users, and BadAlloc, which impacted critical infrastructure. Research indicates the severity of this issue; a 2019 study found that nearly two-thirds of security issues in Apple’s iOS and macOS stemmed from memory-related flaws. Furthermore, Google’s Project Zero reported that 75% of real-world hacks exploited similar vulnerabilities. To counteract this, the NSA and CISA advocate for a “secure by design” approach.
This involves using memory-safe languages (MSLs), such as Rust, Java, Go, and Python, which are engineered to prevent memory safety errors from arising in the first place. For instance, bounds checking prevents programs from writing data outside designated areas, while automatic memory management functions like garbage collection help maintain memory integrity. Android demonstrated the effectiveness of this strategy by shifting to MSLs and reducing memory safety vulnerabilities from 76% to just 24% of their total security bugs between 2019 and 2024. While transitioning to these languages may seem daunting for organizations with extensive existing code, a step-by-step approach is recommended.
By prioritizing MSLs for new projects and focusing on high-risk areas within existing software, organizations can substantially enhance memory safety. Although this strategy requires investment in training and tools, the long-term benefits of reduced security incidents and increased software reliability make it a worthwhile endeavor for a safer digital environment.