NSA is urging developers to shift to memory-safe programming languages – such as C#, Go, Java, Ruby, Rust, and Swift – to protect their code from remote code execution or other hacker attacks. Of the languages mentioned above, Java is the most widely used across the enterprise and Android app development, while Swift is a top 10 language, thanks in part to iOS app development. And there's growing interest in Rust as a replacement for C and C++ in systems programming. "NSA advises organizations to consider making a strategic shift from programming languages that provide little or no inherent memory protection, such as C/C++, to a memory-safe language when possible. Some examples of memory-safe languages are C#, Go, Java, Ruby, and Swift," the NSA said.
Microsoft, Google, and others have flagged vulnerabilities in codes due to memory safety issues and malicious cyber actors can exploit these vulnerabilities for remote code execution or other adverse effects, which can often compromise a device and be the first step in large-scale network intrusions. Commonly used languages, such as C and C++, provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references.
"Software analysis tools can detect many instances of memory management issues and operating environment options can also provide some protection, but inherent protections offered by memory-safe software languages can prevent or mitigate most memory management issues," said the NSA. Even with a memory-safe language, memory management is not entirely memory safe. "Several mechanisms can be used to harden non-memory safe languages to make them more memory safe. Analyzing the software using static and dynamic application security testing (SAST and DAST) can identify memory use issues in software," said the NSA.
"The compilation and execution environment can be used to make it more difficult for cyber actors to exploit memory management issues. Most of these added features focus on limiting where code can be executed in memory and making memory layout unpredictable," the agency suggested.
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.