Memory Safe Roadmaps

Initiative from The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and the cybersecurity authorities of Australia, Canada, the United Kingdom, and New Zealand* (hereafter referred to as the authoring agencies) jointly developed this guidance as part of our collective Secure by Design

The authoring agencies urge executives of software manufacturers to prioritize using MSLs in their products and to demonstrate that commitment by writing and publishing memory safe roadmaps.

from “Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously”

The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously details how software manufacturers can transition to memory safe programming languages (MSLs) to eliminate memory safety vulnerabilities. The guidance provides manufacturers steps for creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products key Secure by Design tenets.

Memory safe programming languages (MSLs) can eliminate memory safety vulnerabilities. Therefore, transitioning to MSLs would likely greatly lessen the need to invest in activities aimed at reducing these vulnerabilities or minimizing their impact. Additionally, investments to migrate unsafe codebases to MSLs would pay long-term dividends in the form of safer products - defraying some of the upfront cost of transitioning to MSLs.

key mitigations suggested in on memory safe roadmap

  • Developer Training
  • Code Coverage
  • Secure Coding Guidelines
  • Fuzzing
  • SAST/DAST
  • Safer Language Subsets

key points for MSL

  • Increased reliability
  • Fewer interruptions for developers
  • Fewer emergencies for supporting staff.
  • Fewer emergencies (and breaches) for customers

resources