NSA, Partners Release Guidance for Protecting Software Products From Memory-Related Vulnerabilities

The National Security Agency, in partnership with the Cybersecurity and Infrastructure Security Agency and international agencies, released a cybersecurity information sheet focused on eliminating memory safety vulnerabilities from software products.

The CSI, titled “The Case for Memory Safe Roadmaps,” includes technical and non-technical factors software manufacturers should consider when developing memory-safe code integration plans. Recommendations include selecting memory-safe language, developing appropriate coding guidance, creating internal developer traiing and integration plans and formulating transparency plans.

Memory safety vulnerabilities can allow actors to access or corrupt data, run arbitrary code and compromise systems. Examples of memory-related errors are buffer overflow and the use of uninitialized memory.

The guidance was created in partnership with Australian, Canadian, New Zealand and UK cyber agencies, the NSA said.

The agency has been releasing different documents and capabilities to help organizations fend off cyber actors.

In October, the NSA released the “Advancing Zero Trust Maturity Throughout the Device Pillar” CIS, which recommended ways to ensure that devices will meet zero trust principles. The CIS outlined eight capabilities designed to ensure that devices seeking access comply with security standards.

Earlier in the month, the agency released ELITEWOLF, a set of operational technology intrusion detection signatures and analytics that allow users to continuously monitor systems for malicious activities.