CISA and Global Partners Press for Memory-Safe Roadmaps — November 14, 2023

On 14 November 2023 the Cybersecurity and Infrastructure Security Agency CISA released guidance calling on software manufacturers to develop roadmaps for eliminating memory safety vulnerabilities from their products. The guidance recommends transition to memory-safe programming languages and represents a significant shift toward holding software producers accountable for vulnerability classes that have plagued the industry for decades.

Understanding Memory Safety Vulnerabilities

Memory safety vulnerabilities including buffer overflows, use-after-free errors, and out-of-bounds reads have been among the most exploited vulnerability classes throughout computing history. These vulnerabilities arise from programming language design decisions that focus on performance over safety, allowing programs to access memory in unintended ways.

• Prevalence of memory bugs. Research shows that memory safety vulnerabilities account for approximately 70 percent of severe vulnerabilities in major software products. This concentration makes memory safety a high-use target for improving overall software security.
• Exploitation patterns. Memory safety bugs enable attackers to execute arbitrary code, escalate privileges, and compromise system integrity. Many significant cyberattacks have exploited memory safety vulnerabilities in widely-deployed software.
• Root cause analysis. The primary root cause is use of memory-unsafe languages like C and C++ that provide direct memory access without runtime safety checks. Modern memory-safe languages eliminate entire vulnerability classes through language design.

Memory-Safe Language Alternatives

The guidance recommends evaluating memory-safe programming languages as replacements for memory-unsafe codebases. Several mature languages provide memory safety guarantees while maintaining performance characteristics acceptable for most applications.

• Rust. Rust provides memory safety through its ownership system and borrow checker, catching memory errors at compile time without garbage collection overhead. Major projects including portions of the Linux kernel have adopted Rust for new development.
• Go. Go provides memory safety through garbage collection and runtime bounds checking, with a simpler learning curve than Rust. Google has used Go extensively for systems programming where memory safety is important.
• Java and C-Sharp. These established managed languages provide memory safety through garbage collection and have extensive ecosystem support, though with different performance characteristics than systems languages.

Roadmap Development Guidance

CISA recommends that software manufacturers develop explicit roadmaps for achieving memory safety across their product portfolios. Roadmaps should address both new development and migration of existing codebases.

• Inventory and prioritization. Identify memory-unsafe code across product portfolios and focus on based on exposure, criticality, and feasibility of remediation.
• New development policies. Establish policies requiring memory-safe languages for new components, with exception processes for cases where memory-unsafe languages remain necessary.
• Migration strategies. Develop incremental migration approaches for existing codebases, potentially starting with security-critical components or new feature development within existing products.
• Timeline commitments. Establish and communicate timelines for achieving memory safety milestones, enabling customers to assess manufacturer commitment to secure development.

Industry Response and Adoption

Major technology companies have begun responding to memory safety concerns with language adoption initiatives. Microsoft has announced plans to incorporate Rust into Windows development, Google uses Rust in Android, and the Linux kernel has accepted Rust as a second development language.

Implications for Software Procurement

Organizations procuring software should consider incorporating memory safety criteria into vendor assessments and contract requirements. Requesting information about vendor memory safety roadmaps and current language distributions provides insight into long-term security posture and vendor commitment to addressing systemic vulnerability sources.

More on this topic

Further reading from our research library.

Cybersecurity · Credibility 92/100 · April 30, 2024

CISA Secure by Design pledge launches

On 30 April 2024 CISA launched the Secure by Design pledge, with major software vendors committing to measurable security improvements within one year.

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Cybersecurity · Credibility 90/100 · September 19, 2023

CISA Launches Secure Our World Cyber Awareness Campaign — September 19, 2023

CISA’s Secure Our World awareness campaign, launched 19 September 2023, sets four behavioral pillars that boards must fold into governance metrics while security, HR, and privacy teams execute training, technology, and…

Cybersecurity · Credibility 89/100 · August 3, 2023

CISA Unveils 2024–2026 Cybersecurity Strategic Plan — August 3, 2023

CISA’s 2024–2026 strategic plan requires executive governance to steer joint cyber defense planning, phased setup across the three mission goals, and privacy-aware evidence collection to satisfy DSARs tied to threat…

Cybersecurity · Credibility 90/100 · March 7, 2024

Secure by Design

CISA launched its Secure by Design Pledge, asking software manufacturers to commit to MFA defaults, reducing vulnerability classes, and security patch transparency. It is voluntary, but names are published.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

November 14, 2023

Coverage pillar

Cybersecurity

Source credibility

89/100 — high confidence

Topics

Global · CISA · Secure by design · Software security

Sources cited

4 sources (cisa.gov)

Reading time

5 min

Source material

1. AA23-319A — The Case for Memory Safe Roadmaps
2. CISA Blog — Software Manufacturers Must Build Memory Safe Roadmaps
3. Secure by Design pledge launch — Cybersecurity and Infrastructure Security Agency
4. Secure by Design pledge fact sheet — Cybersecurity and Infrastructure Security Agency