The NSA and CISA are urging developers to adopt programming languages that reduce the risks of memory safety vulnerabilities.
For a long time, the tech world has tried to patch over this problem. The thinking was that with enough training, smart tools, and careful work, developers could avoid these errors. But the evidence shows that approach just isn’t working well enough.
A computer’s memory is like a huge wall of mailboxes. When a program runs, it’s given a few of those boxes to store its information. A memory safety bug happens when the program makes a mistake and puts information in the wrong box, or tries to read from a box that isn’t its own.
This might sound small, but it’s the root cause of some of the most infamous cyberattacks. Remember the Heartbleed bug? It affected hundreds of thousands of websites and exposed the private data of millions, including hospital patients. Another flaw, BadAlloc, hit critical infrastructure and around 195 million cars.
These weren’t niche problems; they were widespread disasters caused by simple memory safety mistakes.
In one 2019 study, nearly two-thirds of all security flaws in Apple’s iOS and macOS were caused by memory issues. Google’s Project Zero team found that 75% of the real-world hacks they analysed were exploiting these kinds of bugs.
Memory safe languages: A smarter way to build software
The solution being pushed by the NSA and CISA is to build security in from the very start; known as the “secure by design” philosophy.
Instead of writing code and then testing it for bugs, memory safe languages (MSLs) like Rust, Java, Go, and Python are designed to make whole categories of these memory safety errors impossible to create in the first place.
Bounds checking acts like a guard, stopping a program from writing data outside of its assigned area, which prevents buffer overflow bugs. Automatic memory management is like a cleanup crew that runs in the background.
Some languages, like Java and Go, use a “garbage collector” to automatically find and free up memory that’s no longer needed. Others, like Rust, use an “ownership” system where the language itself tracks who is allowed to use a piece of memory at any time. Both methods help prevent “use-after-free” bugs, where a program tries to use memory it already gave back.
The team behind Android put it into practice with amazing results. Back in 2019, 76% of their security bugs were related to memory safety. Realising they had to do something different, they decided that all new code would be written in memory safe languages like Rust and Java.
They didn’t try to rewrite the whole system at once, which would have been a monumental task. Instead, they focused on making sure all new parts were built safely. The result? By 2024, memory safety vulnerabilities had plummeted to just 24% of the total.
Improving memory safety is vital
Of course, switching is not as simple as flipping a switch. For companies with millions of lines of existing code, a complete rewrite is often out of the question. The NSA and CISA know this and recommend a more practical, step-by-step approach.
The journey starts with using MSLs for any new projects or new features added to old projects. For existing software, teams can identify the most high-risk parts (e.g. code that handles network connections or processes files from the internet) and focus on rewriting just those critical components.
This change to improve memory safety requires a real investment in training and new tools. However, the agencies argue that this upfront cost is easily offset by the long-term savings from fewer security incidents, less downtime, and more reliable software.
The way we’ve been building software has left a wide-open door for attackers. Adopting memory safe languages is one of the most powerful ways to close it, making our digital world safer and more secure for everyone. It’s a big change, but it’s essential.
(Photo by Nick Fewings)
See also: Official group aims for Swift language support on Android
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.