1. Home
  2. IT specialists
  3. News & Events
  4. New guidance for software manufacturers on memory safe roadmaps

New guidance for software manufacturers on memory safe roadmaps

Eight international agencies, including CERT NZ and the National Cyber Security Centre (NCSC), have released joint guidance for software creators and technical experts to, ultimately, eliminate memory safety vulnerabilities from their products.

7 December 2023

The Case for Memory Safe Roadmaps | CISA External Link

Document link: The Case for Memory Safe Roadmaps  [PDF, 973 KB](pdf, 972kb)

As part of the collective Secure by Design campaign, the guidance sets out roadmaps to reduce customer risk by prioritizing design and development practices that implement memory safe programming languages (MSLs).

Memory safety vulnerabilities are the most prevalent type of disclosed software vulnerability. They are a class of well-known and common coding errors that malicious actors routinely exploit. These vulnerabilities represent a major problem for the software industry as they cause manufacturers to continually release security updates and their customers to continually patch.

The eight signing agencies, across five countries, strongly urge software business owners to push for Secure by Design tenets and signal to customers that they are taking ownership of security outcomes.

CERT NZ Manager of Incident Response Jordan Heersping said that he was pleased to see the work on Secure by Design progressing.

"This guidance is important for a number of reasons, but mostly because it hardens our global cyber resilience to malicious actors. If we get it right at the manufacturer level, then it flows down to the organisational and consumer levels."

The Secure by Design campaign urges technology providers to take ownership of their customers’ security outcomes by building cybersecurity into design and development.

For full details and other papers see the Secure by Design page on the CISA website: Secure-by-Design | CISA External Link

This work is jointly released by:

  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • United States National Security Agency (NSA)
  • United States Federal Bureau of Investigation (FBI)
  • Australian Cybersecurity Centre (ACSC)
  • Canadian Centre for Cyber Security (CCCS)
  • United Kingdom National Cyber Security Centre (NCSC UK)
  • New Zealand National Cyber Security Centre (NCSC NZ)
  • Computer Emergency Response Team New Zealand (CERT NZ)