CISA Urges Software Developers to Prioritize Memory Safe Coding

The U.S. Cybersecurity and Infrastructure Security Agency is urging software developers to establish comprehensive procedures to implement memory safe coding as part of an effort to address critical vulnerabilities in programming languages and further shift security responsibilities away from end users.

See Also: OnDemand | Cutting Through the Hype: What Software Companies Really Need from ASPM

CISA released guidance Wednesday – co-authored with the National Security Agency, the FBI and cybersecurity authorities from Australia, Canada, the U.K. and New Zealand – that provides software developers with actionable steps to create memory safe road maps that embrace “secure by design” principles. Memory safe vulnerabilities, a category of software defects and common coding errors, are the most prevalent type of disclosed software vulnerability.

In a statement announcing the new guidance, CISA Director Jen Easterly said roughly two-thirds of software vulnerabilities “are due to a lack of ‘memory safe’ coding.”

“Removing this routinely exploited security vulnerability can pay enormous dividends for our nation’s cybersecurity but will require concerted community effort and sustained investment at the executive level,” the statement says.

Memory safe vulnerabilities can allow hackers to install malware by gaining unauthorized access to computer memory. Threat actors have continued using memory corruption – a bug practically as old as computer memory itself – “to routinely compromise applications and systems,” according to the guidance.

The guidance includes recommendations such as using sandboxing techniques to isolate various parts of a system and limit the scope of potential vulnerabilities and using hardware to support memory protections and hardening memory allocators to make it more difficult for threat actors to create reliable exploits.

CISA said memory safe road maps will help software manufacturers create more reliable code while reducing interruptions for developers, emergencies requiring supporting staff, and breaches that affect customers. To successfully transition to memory safe languages, the agency recommended starting with new and smaller projects so teams can experiment with new tools and systems rather than rewrite existing code, which can be a challenging process.

The guidance also recommends that manufacturers replace memory unsafe components, prioritize security-critical code and plan time for integration, testing and learning.

Memory safe road maps should always contain defined phases that outline clear deadlines and outcomes, internal developer training and integration plans, an external dependency plan for libraries written in C and C++, a transparency plan and a support program plan for common vulnerabilities and exposures, according to the guidance.