A renewed call to transition to memory safe languages (MSLs) has been issued by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA).
A new joint report, Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development, outlines the urgent need for software modernization through MSLs to combat memory-related vulnerabilities that continue to plague critical systems.
A key recommendation in the report urges organizations, especially those managing legacy systems or high-risk infrastructure, to adopt languages that prevent common memory errors by design. While performance and interoperability concerns remain, the agencies argue these challenges are surmountable and far outweighed by the long-term benefits to system integrity.
The guidance reflects growing consensus across government and industry that memory safety is no longer optional in modern development. Instead, it should be considered foundational, especially as tools and ecosystems supporting MSLs like Rust mature.
These languages minimize entire classes of vulnerabilities, such as buffer overflows, which remain among the most exploited in cyber-attacks.
However, the transition isn’t without friction. The report acknowledges that:
-
Existing codebases often rely on tightly coupled, non-MSL components
-
Performance overhead can arise from interlanguage communication
-
Many MSLs still lack comprehensive tooling and community support
-
Critical third-party libraries may not yet be written in MSLs
To address these barriers, the report encourages modular rewrites, robust dependency management and targeted training programs that incorporate memory safety principles into both academia and workplace upskilling.
A Strategic Shift in Cybersecurity
Academia is already incorporating MSLs into curricula, especially higher-level ones like Python and Java.
Programs like DARPA’s TRACTOR and V-SPELLS also aim to automate modernization, translating legacy C code into Rust. Industry players such as Prossimo and the Open Source Security Foundation (OpenSSF) are driving demand by building core internet infrastructure in memory safe code.
Read more on memory safe code: Majority of Critical Open Source Projects Contain Memory Unsafe Code
Still, the report warns that MSLs are not a cure-all. For constrained environments or situations where a full transition isn’t feasible, the report outlines alternatives, such as memory tagging hardware or compiler hardening, that can enhance safety without abandoning existing architectures.
At the same time, NSA and CISA assert that widespread MSL adoption remains the most effective path to eliminating memory vulnerabilities at scale.
“Strategic MSL adoption is an investment in a secure software future,” reads the report.
“By defining memory safety roadmaps and leading the adoption of best practices, organizations can significantly improve software resilience and help ensure a safer digital landscape.”
No tags.
