In the United States, the federal Cybersecurity and Infrastructure Security Agency (CISA), with the National Security Agency (NSA), have released a guide – “Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development.”
Definition
As the guide states, MSLs incorporate built-in mechanisms, such as bounds checking, memory management, and data race prevention, to guard against various memory bugs and vulnerabilities. Without these safeguards, such weaknesses could be exploited.
The document is aimed at software producers, especially those for National Security Systems (NSS) and critical infrastructure. It points to the need to adopt Memory Safe Languages (MSLs) to combat pervasive memory safety vulnerabilities that have long plagued software systems. With memory-related bugs, such as buffer overflows and use-after-free errors, contributing to most, 66pc to 75pc of Common Vulnerabilities and Exposures (CVEs) in major platforms, as highlighted by studies from Google Project Zero and others.
The guide details how memory safety issues, as seen in incidents such as Heartbleed, which compromised sensitive data across 800,000 websites, and BadAlloc, affecting 195 million vehicles and critical infrastructure, pose risks to national security and public safety. MSLs, including languages like Rust, Java, Go, and Python, embed built-in safeguards such as bounds checking, automated memory management via garbage collection or strict ownership rules, and data race prevention.
Comment
Emilio Pinna, director at SecureFlag, said, “It’s 2025, and yet, we’re still patching buffer overflows like it’s 1995. The newly released CISA and NSA report on Memory Safe Languages is a much-needed wake-up call (again) for the industry. After decades of shipping software riddled with memory safety bugs, it’s clear: the problem isn’t new, we’re just stubborn. As the report points out, memory issues like use-after-free and buffer overflows are responsible for up to 66-75pc of all CVEs in major platforms. That’s not a bug, that’s a systemic design flaw in how we write code. And yes, that means the C++ codebase your team inherited might just be a beautifully commented landmine.
“Young developers today are stuck fighting the vulnerabilities their coding ancestors thought they could “just be careful” around. The push toward Memory Safe Languages (MSLs) like Rust, Swift, and modern iterations of Go or even Java is a necessity now more than ever. You don’t get brownie points for reinventing the wheel with manual memory management anymore. Sure, rewriting core systems in Rust isn’t going to be cheap or fast. But neither is responding to zero-days born from yet another dangling pointer. As the CISA/NSA guidance makes clear, we’re at a crossroads: keep clinging to legacy languages with known safety issues, or modernise for the future.”
