The US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have published guidance urging software developers to adopt memory-safe programming languages. The agencies emphasize the importance of memory safety, citing serious risks to national security and critical infrastructure.
Memory safety refers to the ability of programming languages to prevent vulnerabilities caused by mishandling computer memory. Languages like Rust, Go, C#, Java, Swift, Python, and JavaScript offer automated memory management or compile-time checks to prevent memory-based errors.
However, C and C++ are not inherently memory-safe, making them more prone to errors. To mitigate this, developers must adhere to best practices and use static analysis tools. Nevertheless, even in safe languages, importing unsafe libraries can compromise memory safety guarantees.
Memory safety flaws have contributed significantly to vulnerabilities in large software projects. Google has attributed 90% of Android’s high-severity vulnerabilities to memory safety errors, while Microsoft reported over 70% of serious security issues in Chromium coming from memory safety flaws.
To address this issue, the tech industry has seen a surge in memory-safe languages. In 2022, Microsoft executives called for new applications to be written in memory-safe languages like Rust. Consumer Reports and government officials have since emphasized the need to transition to these languages.
The CISA/NSA report acknowledges that adopting memory-safe languages may not be feasible for all organizations. However, it highlights benefits such as increased reliability, reduced attack surface, and decreased long-term costs. The report also emphasizes the importance of a balanced approach, recognizing that memory-safe languages are not a panacea but rather a crucial step towards mitigating vulnerabilities.
The agencies urge the private sector to promote memory safety by advertising jobs requiring MSL expertise and supporting government initiatives like the DARPA TRACTOR program, which aims to develop an automated method for translating C code to Rust.
Source: https://www.theregister.com/2025/06/27/cisa_nsa_call_formemory_safe_languages