The Cybersecurity and Infrastructure Agency (CISA), in collaboration with the National Security Agency (NSA), has published a guidance document urging software vendors, developers, and federal agencies to accelerate their adoption of Memory Safe Languages (MSLs).
Titled “Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development,” the guidance highlights how memory-related flaws, including buffer overflows and user-after-free errors, remain one of the most critical and persistent sources of software insecurity.
Drawing on real-world cases like Heartbleed and BadAlloc, vulnerabilities that exposed data across 800,000 websites and jeopardized 195 million devices, respectively, the report warns that poor memory safety poses an unacceptable risk to critical infrastructure and national security.
Safe Languages by Design
The report cites studies showing that memory safety bugs account for 66% to 75% of CVEs across major platforms. These flaws are especially common in non-MSL languages like C and C++, which require developers to manage memory manually.
However, MSLs like Rust, Go, Java, Python, and Swift avoid these problems by including safety checks. These languages use tools like garbage collection and strict memory rules to stop bugs before they happen.
Jason Soroko, Senior Fellow at Sectigo, argues that the guidance represents a fundamental shift in how the industry thinks about development. “Regulators are no longer framing MSLs as a coding style debate. They’re treating them as a structural control that collapses whole vulnerability classes before software ever ships.”
Start Small, Think Big
CIA and the NSA don’t expect developers to rewrite all old software immediately. Instead, they suggest starting with new projects and using MSLs for high-risk parts of software, like systems that connect to the internet or handle sensitive data.
According to the guidance, Google’s Android team took this approach. In 2019, 76% of Android’s security issues were due to memory bugs. After switching to Rust and Java for new components, that number dropped to just 24% by 2024.
J Stephen Kowski, Field CTO at SlashNext, sees this as the sensible way forward. “The key insight from Android’s success isn’t just about language choice, it’s about having visibility into your entire codebase and using that to guide smart, incremental changes.”
Better Security, More Reliable Software
MSLs don’t just improve security; they make software more stable and easier to maintain. They prevent crashes, reduce errors, and help developers find problems faster during testing. This, ultimately, saves time and money in the long run, allowing developers to spend less time fixing bugs and more time building new features.
That said, using MSLs doesn’t mean that developers can stop thinking about security. “This should not be taken as assuming all code written in MSLs is fully secure, says Thomas Richards, Infrastructure Security Practice Director at Black Duck. “Insecure practices can still create vulnerabilities, no matter the language. Developers must understand how to code safely within their chosen language.”
Manual Memory Management Has Had Its Day
“It’s 2025, and yet, we’re still patching buffer overflows like it’s 1995,” said Emilio Pinna, director at SecureFlag. “After decades of shipping software riddled with memory safety bugs, it’s clear: the problem isn’t new, we’re just stubborn.
Pinna points out that many developers today are stuck maintaining C++ codebases that are “beautifully commented landmines.” He adds, “You don’t get brownie points for reinventing the wheel with manual memory management anymore.”
Attackers Got There First
Interestingly, some cybercriminals were early adopters of MSLs. Ngoc Bui, a cybersecurity expert at Menlo Security, says ransomware developers have used Rust and Go for as long as a decade.
“The languages made ransomware harder to analyze and easier to run across different platforms,” she said. “What once was an attacker’s advantage is now a lesson for developers.”
A Secure Future Starts Now
The guidance supports broader U.S. efforts like CISA’s Secure by Design initiative and urges organizations to publish clear roadmaps for adopting memory safe languages. It describes MSL adoption as a long-term investment in secure software, stating that by setting memory safety goals and modernizing development practices, organizations can strengthen the security and resilience of their systems from the ground up.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.