Today, the National Security Agency (NSA) published a new report offering guidance and recommendations to help software developers and operators prevent and mitigate software memory safety issues, which account for a large portion of exploitable vulnerabilities.
The new report, Software Memory Safety – Cybersecurity Information Sheet, illustrates how malicious threat actors can exploit poor memory management issues to access sensitive data, promulgate unauthorized code execution, and cause other negative impacts. For instance, both Microsoft and Google have found that software memory safety issues represent around 70 percent of their vulnerabilities. Poor memory management can also lead to technical issues, such as incorrect program results, degradation of the program’s performance over time, and program crashes. The report recommends that organizations utilize memory safe languages when possible and bolster protection through code-hardening defenses such as compiler options, tool options, and operating system configurations. By using memory safe languages and available code hardening defenses, many memory vulnerabilities can be prevented, mitigated, or made very difficult for threat actors to exploit. Access the full report at the NSA.