NSA urges organizations to move to secure in-memory programming languages
In a press release issued earlier today, the National Security Agency (NSA) indicates that it will be make a strategic shift towards memory-safe programming languages. The agency advises organizations to explore these changes themselves using languages such as C#, Go, Java, Ruby or Swift. From the report: There “Software Memory Safety Fact Sheet” (PDF) shows how malicious cyber actors can exploit memory mismanagement issues to access sensitive information, enact unauthorized code execution, and cause other negative impacts. “Memory management issues have been exploited for decades and are still all too common today,” said Neal Ziring, CTO of cybersecurity. “We must consistently use memory-safe languages and other protections when developing software to eliminate these weaknesses of malicious cyber actors.”
Microsoft and Google have each said that software memory security issues are at the root of about 70% of their vulnerabilities. Poor memory management can also lead to technical problems, such as incorrect program results, degraded program performance over time, and program crashes. The NSA recommends that organizations use memory-safe languages when possible and reinforce protection with code hardening defenses such as compiler options, tool options, and system configurations. operation. The full report is available here (PDF).