Google has prioritized minimizing memory-related errors in its new coding strategies
In a united front, leading cybersecurity authorities such as Google, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the White House Office of the National Cyber Director have emphasized the importance of adopting memory-safe programming languages (MSLs) to minimise memory-safety vulnerabilities.
The rationale behind this recommendation is straightforward: MSLs, unlike traditional languages such as C and C++, have memory safety mechanisms embedded directly into their design. This proactive approach prevents memory corruption and related vulnerabilities at both compile time and runtime, rather than attempting to patch issues after deployment.
The significance of memory safety vulnerabilities is evident in statistics. Studies show that 66-71% of vulnerabilities (CVEs) in major operating systems like iOS 12 and Mojave stem from memory issues, and approximately 75% of real-world exploited vulnerabilities in 2021 involved memory safety flaws.
Languages such as Rust, Go, C#, Java, Swift, Python, and JavaScript offer automated memory management, garbage collection, or compile-time checks on memory ownership, effectively reducing vulnerabilities related to buffer overflows, use-after-free errors, and other memory issues.
To effectively implement this strategy, a strategic approach is required. This involves gradually rewriting critical or legacy modules using memory-safe languages (modular rewrites), managing dependencies properly to avoid unsafe code imports, incorporating memory safety principles into developer training and academic curricula, and utilising tooling and automation to ease the transition.
While MSLs are not a total cure-all, especially in constrained environments, the consensus is that wide adoption remains the most effective way to eliminate memory safety vulnerabilities at scale. This aligns with CISA’s “Secure by Design” principles that promote reducing vulnerability classes by default during the software development lifecycle.
Agencies advocate for integrated proactive security throughout development, encouraging organisations to define memory safety roadmaps and lead the uptake of best practices. This yields improved software resilience and overall digital security.
Earlier this year, the White House Office of the National Cyber Director called on the technology industry to widely adopt memory-safe languages. Google, too, has emphasised that the problem of memory-safety vulnerabilities is primarily with new code, necessitating a fundamental change in coding practices. Google's approach to memory-safety vulnerabilities in Android provides a roadmap for software developers.
Google has made significant strides in reducing memory-safety vulnerabilities in Android, decreasing them from 76% to 24% over the last six years. This demonstrates the potential benefits of transitioning to memory-safe languages. However, it's important to note that officials believe software vendors can make a significant dent in the number of vulnerabilities they introduce by shifting to memory-safe languages.
The Cybersecurity and Infrastructure Security Agency and the FBI have highlighted this issue, pointing out that memory-unsafe languages are prevalent in more than half of critical open-source projects. The total amount of new memory-safety vulnerabilities has declined in kind, according to Google, thanks to developers prioritising the use of memory-safe languages in new code since 2019.
Google's blog post underscores the need for a fundamental change in how code is developed to address memory-safety vulnerabilities. The total lines of memory-safe code in Android grew at a much faster rate over the six-year period, achieving a "seemingly counterintuitive result" by transitioning all new development to memory-safe languages.
In conclusion, software developers can minimise memory-safety vulnerabilities by choosing memory-safe languages, embedding security early in the development process, incrementally modernising legacy codebases, educating teams, and adopting robust tooling and practices—all key strategies strongly recommended by leading cybersecurity authorities.
The leading cybersecurity authorities, including Google, CISA, NSA, and the White House Office of the National Cyber Director, advocate for the adoption of memory-safe programming languages (MSLs) to reduce memory-safety vulnerabilities, as these languages have built-in mechanisms that prevent memory corruption and related vulnerabilities during both compile time and runtime. This approach aligns with CISA's "Secure by Design" principles, encouraging reduction of vulnerability classes during the software development lifecycle, and promoting a proactive approach to cybersecurity in data-and-cloud-computing and technology.
