In a joint report, the NSA and CISA have issued a pivotal recommendation for the future of secure software: prioritize adopting memory-safe languages (MSLs) to mitigate cybersecurity risks at scale.

This guidance, part of a broader push for software supply chain modernization, underscores the growing consensus that the traditional tools and practices around memory management are no longer sufficient for today’s threat environment.

The report, Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development, is both a warning and a roadmap. Drawing from empirical data, real-world incidents like Heartbleed and BadAlloc, and case studies from major platforms such as Android and Microsoft, the document makes a compelling case for treating MSL adoption as a matter of strategic software architecting.

The report emphasizes that memory vulnerabilities remain the root cause of a significant share of system compromises, and that these weaknesses can often be eliminated outright by changing how software is written in the first place.

Why It Matters: Memory safe languages can eliminate entire categories of vulnerabilities, reducing downstream patching, compliance strain, and incident response costs. For those overseeing critical infrastructure, cloud ecosystems, or expansive software portfolios, this shift offers a sustainable strategy to reduce risk while strengthening resilience.

• Reducing Risk at the Foundation Layer: Memory-related vulnerabilities are a dominant cause of security incidents across sectors. Adopting languages that enforce memory safety at compile time or runtime, such as Rust, Go, and Java, organizations can effectively neutralize common exploits like buffer overflows and use-after-free bugs. These design-level safeguards reframe security as implemented architectural property, and not as a reactive discipline.

• A Phased Modernization Strategy That Works: For large codebases and legacy systems, full rewrites are rarely practical. The report proposes a scalable model: use MSLs for all new development, prioritize rewrites in high-risk components (e.g., network services, cryptographic functions), and bridge old and new code through modular APIs. This enables organizations to modernize incrementally while continuing to deliver and support existing systems.

• Business Continuity and Engineering Efficiency: Memory safe languages enhance security and improve operational reliability, all while reducing long-term costs. By eliminating crash-prone bugs, MSLs lead to fewer outages, faster debugging cycles, and greater developer productivity. These gains align directly with business goals such as service availability, customer trust, and product velocity.

• The Android Precedent: Proof of Feasibility at Scale: Google’s Android platform, historically written in memory unsafe C/C++, has embraced Rust and Java for new components. In doing so, memory-related vulnerabilities dropped from 76% of Android’s CVEs in 2019 to 24% in 2024. This demonstrates that a meaningful security impact can be achieved without rewriting everything, just by reshaping how new code enters the system.

• Overcoming the Friction Points: The report does not gloss over challenges. MSLs come with learning curves, immature tooling in some cases, and performance tradeoffs in interlanguage scenarios. Organizations must plan for targeted developer training, ecosystem vetting, and governance updates. Programs like DARPA’s TRACTOR (automated C-to-Rust translation) and V-SPELLS (secure parser generation) are designed to smooth these transitions.

• Strategic Ecosystem Considerations: Many enterprise environments depend on third-party libraries and legacy integrations not yet ported to MSLs. The report recommends strict dependency management, interlanguage APIs, and, where necessary, enhanced compiler options or hardware-level mitigations (e.g., memory tagging). These alternatives can be layered in while the broader ecosystem matures.

• A Workforce and Education Shift: MSLs, like Rust, require rethinking how developers approach memory ownership and concurrency. The curriculum is already evolving, and public-private partnerships are being encouraged to promote secure-by-design principles. Industry leaders can accelerate this trend by making MSL competency a visible hiring signal.

• Regulatory and Supply Chain Implications: As memory safety becomes a policy priority, expect increased regulatory attention and compliance frameworks aligned with this paradigm. The NIST Secure Software Development Framework (SSDF) already emphasizes built-in security. Organizations preparing now for MSL adoption will be better positioned to meet future mandates and demonstrate due diligence across the software supply chain.

Go Deeper → Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development – NSA & CISA

NSA and CISA Urge Adoption of Memory Safe Languages for Safety – Infosecurity Magazine