U.S., global partners, ask software companies to focus on memory-safe code

CISA Director Jen Easterly, shown here at a Senate hearing in 2021, is part of an effort to urge global software manufacturers to code in 'memory-safe' languages.

CISA Director Jen Easterly, shown here at a Senate hearing in 2021, is part of an effort to urge global software manufacturers to code in 'memory-safe' languages. Kevin Dietsch/Getty Images

New guidance for software developers from Five Eyes countries implores software developers to patch memory safety vulnerabilities and rethink the use of risky programming languages.

A cadre of intelligence agencies from the U.S. and its allies unveiled new joint guidance on patching memory safety vulnerabilities in networks, aiming to bring awareness to coding errors that could be exploited. 

Released jointly by the Cybersecurity and Infrastructure Security Agency, the National Security Agency, FBI, and international partners including New Zealand, Australia, Canada, and the United Kingdom –– the parties to the Five Eyes intelligence cooperation treaty –– the guidance recommends the migration to memory safe programming languages to help prevent vulnerabilities.

Memory safety vulnerabilities allow threat actors to leverage flaws in software code to take control of targeted systems.The guidance instructs software developers and manufacturers to prioritize the shift to memory-safe programming languages when developing their digital systems and products, echoing the Biden administration’s push for accountability from tech manufacturers rather than end users. 

“Research shows that roughly 2/3 of software vulnerabilities are due to a lack of ‘memory safe’ coding. Removing this routinely exploited security vulnerability can pay enormous dividends for our nation’s cybersecurity but will require concerted community effort and sustained investment at the executive level,” said CISA Director Jen Easterly in an announcement. “It’s way past time for us to get serious about protecting all software customers and implement Secure by Design principles into baseline product development to eliminate these types of threats once and for all.”

In addition to changing the programming language to a memory safe code, the guide also recommends having developers create their own memory safe roadmaps and implement associated changes. Each roadmap should ideally detail how the manufacturer will modify their software development lifecycle to reduce memory related vulnerabilities in their products.

Developer training and system testing are also recommended in the new guidance. Notably, officials also recommend fuzzing, or the practice of testing software by using a wide variety of data to uncover system vulnerabilities.

“By publishing memory safe roadmaps, manufacturers will signal to customers that they are taking ownership of security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products—key Secure by Design tenets,” the guidance reads.