FORT MEADE, Md. – The Nationwide Safety Company (NSA) joins the Cybersecurity and Infrastructure Safety Company (CISA) and its U.S. and worldwide companions to launch “The Case for Reminiscence Safety Roadmaps” Cybersecurity Reality Sheet (CSI). Constructing on the CSI “Software program Reminiscence Security” printed by the NSA in April 2023, the report gives steering to software program producers and expertise suppliers to create tailor-made roadmaps to eradicate reminiscence safety vulnerabilities of their merchandise.
Reminiscence safety vulnerabilities are coding errors affecting software program reminiscence administration code by which reminiscence will be accessed, written, allotted, or launched unintentionally. Kinds of memory-related coding errors talked about in CSI embody buffer overflow, use after free, uninitialized reminiscence use, and double free. Exploitation of those vulnerabilities may permit malicious actors to entry or corrupt information, or execute arbitrary malicious code with the identical privileges because the system proprietor.
“Reminiscence safety vulnerabilities influence software program growth throughout all industries,” mentioned Neal Ziring, technical director of the NSA Cybersecurity Directorate. “Working collectively to outline clear targets and deadlines in transition roadmaps to a safer programming language is vital to mitigating these points. »
In a joint conclusion, the co-authoring companies suggest that software program makers create roadmaps for the usage of and transition to memory-safe programming languages. This transition will allow memory-safe programming languages to mitigate memory-related vulnerabilities and scale back the assault floor of merchandise. Beneficial memory-safe programming languages talked about within the CSI embody C#, Go, Java, Python, Rust, and Swift. Software program makers ought to consider a number of memory-safe programming languages earlier than integrating them into their workflows.
CSI consists of technical and non-technical components that software program producers ought to think about when growing their roadmap. These embody selecting a language that’s protected for workers reminiscence, capabilities and assets, in addition to recommendation on prioritization. Extra steering consists of objects that must be a part of roadmaps, together with: outlined phases with dates and outcomes, dates for memory-safe programming languages in new methods, coaching and onboarding plans for inside builders , exterior dependency plans, transparency plans, and CVE help. program plans.
The authoring companies urge software program producers to create and publish reminiscence safety roadmaps to plan and talk how reminiscence safety vulnerabilities will likely be mitigated of their merchandise.
Perpetrating companies embody CISA, NSA, Federal Bureau of Investigation (FBI), Australian Alerts Directorate’s Australian Cyber Safety Heart (ACSC), Canadian Heart for Cyber Safety (CCCS), Nationwide Heart Cyber Safety Authority of New Zealand (NCSC-NZ). ) and Laptop Emergency Response Staff New Zealand (CERT NZ), in addition to the UK’s Nationwide Cyber Safety Heart (NCSC-UK). The companies collectively developed this report as a part of their Safe by Design marketing campaign to induce software program makers to prioritize design and implementation practices to scale back buyer threat through the use of safe languages for reminiscence of their merchandise.
Learn the complete report right here.
Go to our complete library for extra cybersecurity data and technical ideas.
NSA Media Relations
MediaRelations@nsa.gov
443-634-0721
