CISA, FBI, NSA Urge Software Industry: Adopt Memory-Safe Languages to Drastically Cut Vulnerabilities

The leading cybersecurity agencies in the United States—CISA and the NSA—have issued a joint report urging software developers to adopt so-called memory-safe programming languages. These are technologies inherently designed to protect against critical memory-related failures—one of the most pervasive and dangerous classes of software vulnerabilities.

The report emphasizes that errors stemming from improper memory handling remain a primary threat to both everyday users and mission-critical information systems. Languages such as Rust, Go, C#, Java, Swift, Python, and JavaScript either employ garbage collection or enforce static memory allocation checks during compilation, thereby significantly reducing the risk of memory-based vulnerabilities.

However, the industry’s most widely used languages—C and C++—lack such safeguards by default. While developers can theoretically mitigate risks through static code analysis and adherence to secure coding standards, in practice, these precautions are often neglected.

Moreover, even when the bulk of a program is crafted with modern security standards, integrating libraries written in C or C++ via the Foreign Function Interface (FFI) can undermine those protections. Such oversights are particularly insidious, as they can compromise projects that outwardly appear secure.

The scale of the issue is underscored by data from major technology firms. According to Google, 90% of critical security flaws in Android in 2018 stemmed from memory misuse. In Chromium, over 70% of recorded vulnerabilities in 2021 fell into this category. The infamous Heartbleed bug in OpenSSL, which allowed attackers to extract data beyond allocated memory bounds, also originated from such flaws.

Even a relatively recent outage in Google Cloud’s infrastructure, which occurred in June this year, was linked to a classic lapse—the failure to validate null pointers. Such defects lead to system crashes or open gateways for exploitation in environments where storage control is insufficiently rigorous.

Thus, it is no surprise that tech giants are now vigorously promoting the transition to safer languages. As early as 2022, Microsoft officially recommended that new applications be developed in Rust or similar technologies. By 2023, government agencies had joined these efforts. CISA Director Jen Easterly publicly called for the industry’s migration toward more secure solutions.

Nonetheless, this transition has not been without contention. Over the past year, debates have flared within the Linux kernel development community regarding the integration of Rust drivers. Proponents of C and C++ have countered with alternative projects—TrapC, FilC, Mini-C, and Safe C++—which aim to enhance security without abandoning familiar paradigms. Simultaneously, Google is improving memory safety within C++ without sacrificing performance.

According to the CISA and NSA report, a full migration to memory-safe languages requires significant time, investment, and skilled personnel. The challenge is particularly acute for organizations burdened with legacy codebases or operating within critical infrastructure. Yet the benefits—from minimizing vulnerabilities to increasing overall software reliability—render such changes not only worthwhile but inevitable.

There are already notable examples of progress. Thanks to Android’s gradual shift toward safer programming practices, memory-related vulnerabilities dropped to just 24% by 2024.

The U.S. government is also advancing initiatives to accelerate this shift. DARPA’s TRACTOR (Translating All C to Rust) program is developing tools to automate the conversion of C projects into Rust, reducing the need for manual rewriting. Meanwhile, researchers at Princeton, UC Berkeley, and UC San Diego are working on Omniglot, a framework for safely integrating Rust with external libraries via FFI.

CISA and the NSA emphasize that while government-led programs are important, they are counting on active participation from the private sector. Among their proposed measures is the promotion of job opportunities requiring experience with memory-safe languages, aimed at expanding the pool of qualified professionals and expediting the adoption of new security standards.

According to Google, migrating from C++ to Rust has doubled developer productivity, and Microsoft is actively integrating Rust into Windows and building drivers based on it.