Governance & Risk Management

CISA Urges Software Developers to Prioritize Memory-Safe Coding

CISA, NSA, FBI and Global Partners Urge Manufacturers to Make Memory-Safe Road Maps
CISA Urges Software Developers to Prioritize Memory-Safe Coding
New guidance urges software developers to create memory safe road maps. (Image: Shutterstock)

The U.S. Cybersecurity and Infrastructure Security Agency is urging software developers to establish comprehensive procedures to implement memory-safe coding as part of an effort to address critical vulnerabilities in programming languages and further shift security responsibilities away from end users.

See Also: Cloud Security and Developers: Role of Zero Standing Privilege

CISA released guidance Wednesday - co-authored with the National Security Agency, the FBI and cybersecurity authorities from Australia, Canada, the U.K. and New Zealand - that provides software developers with actionable steps to create memory-safe road maps that embrace "secure by design" principles. Memory-safe vulnerabilities, a category of software defects and common coding errors, are the most prevalent type of disclosed software vulnerability.

In a statement announcing the new guidance, CISA Director Jen Easterly said roughly two-thirds of software vulnerabilities "are due to a lack of 'memory-safe' coding."

"Removing this routinely exploited security vulnerability can pay enormous dividends for our nation's cybersecurity but will require concerted community effort and sustained investment at the executive level," the statement says.

Memory-safe vulnerabilities can allow hackers to install malware by gaining unauthorized access to computer memory. Threat actors have continued using memory corruption - a bug practically as old as computer memory itself - "to routinely compromise applications and systems," according to the guidance.

The guidance includes recommendations such as using sandboxing techniques to isolate various parts of a system and limit the scope of potential vulnerabilities and using hardware to support memory protections and hardening memory allocators to make it more difficult for threat actors to create reliable exploits.

CISA said memory-safe road maps will help software manufacturers create more reliable code while reducing interruptions for developers, emergencies requiring supporting staff, and breaches that affect customers. To successfully transition to memory-safe languages, the agency recommended starting with new and smaller projects so teams can experiment with new tools and systems rather than rewrite existing code, which can be a challenging process.

The guidance also recommends that manufacturers replace memory unsafe components, prioritize security-critical code and plan time for integration, testing and learning.

Memory-safe road maps should always contain defined phases that outline clear deadlines and outcomes, internal developer training and integration plans, an external dependency plan for libraries written in C and C++, a transparency plan and a support program plan for common vulnerabilities and exposures, according to the guidance.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.