Hello, Guest!

Cybersecurity

NSA Issues Software Memory Safety Guidance

National Security Agency

NSA Issues Software Memory Safety Guidance

The National Security Agency has published guidance that can help software developers and operators prevent and mitigate software memory safety issues.

According to the Software Memory Safety Cybersecurity Information Sheet, hackers can exploit poor memory management issues to access sensitive information, execute unauthorized code, crash programs and compromise memory settings. The guidance also noted that the flexibility and freedom in commonly used coding languages, such as C and C++, leave room for mistakes, which can lead to exploitable vulnerabilities.

NSA’s guidance noted that software analysis tools can detect issues and offer some protection, but code can be further protected by using memory-safe software languages. Another recommendation is to use code-hardening defenses like compilers and operating system configurations to protect data, NSA said.

Neal Ziring, cybersecurity technical director at the NSA, said memory management exploitation is still common even though hackers have been taking advantage of the vulnerability for decades. He urged developers to exercise caution and protect their codes when developing software to prevent cyber actors from attacking.

Data from Microsoft revealed in 2019 that between 2006 and 2018, 70 percent of vulnerabilities were caused by memory safety issues. Likewise, Google shared that a similar percentage of memory safety vulnerabilities were found in the Chrome browser.

Some of the coding languages that NSA said are memory-safe are C#, Java, Ruby, Rust and Swift. The agency reminded users that even though these languages are considered safe, software will still have to perform unsafe memory management functions from time to time to accomplish certain tasks.

The natural tendency to turn to unsafe checks puts developers at risk of performing risky memory management tasks. Developers are urged to exercise vigilance even when using the aforementioned languages.

Potomac Officers Club Logo
Sign up for Potomac Officers Club's daily briefing
Receive updates on events and relevant news

Category: Cybersecurity