Software makers need to embrace the growing number of newer programming languages that protect memory to reduce the number of security vulnerabilities in their products, according to cybersecurity agencies in the United States and other countries.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released a report outlining steps software developers can take to create roadmaps for migrating away from C and C++ and adopting memory safe programming languages like Rust, C#, Go, Java, Python, and Swift.

Doing so will eliminate many of the memory safety vulnerabilities that count as the most common flaws in languages, according to CISA. It also will continue to shift the responsibility for security in software from users to developers, one of the drivers behind the agency’s “secure by design” push for software development.

The lack of memory safe coding is behind as much as two-thirds of all software vulnerabilities, according to CISA Director Jen Easterly.

“Removing this routinely exploited security vulnerability can pay enormous dividends for our nation’s cybersecurity but will require concerted community effort and sustained investment at the executive level,” Easterly said in a statement. “It’s way past time for us to get serious about protecting all software customers and implement Secure by Design principles into baseline product development to eliminate these types of threats once and for all.”

Exploiting the Flaws

According to the report, memory safety vulnerabilities affect how many is accessed, written, or allocated in ways that aren’t intended in the programming languages. Bad actors may be able to manipulate software to make certain requests that may exploit vulnerabilities.

“Depending on the type of vulnerability, a malicious actor may be able to illicitly access data, corrupt data, or run arbitrary malicious code,” the report’s authors wrote, noting that “a malicious actor may send a carefully crafted payload to an application that corrupts the application’s memory, then causing it to run malware.”

Another example would be a malicious actor sending a “malformed image file that includes malware to create an interactive shell on the victim system. If an actor can execute arbitrary code in this way, the actor may gain control of the account running the software,” they wrote.

Vulnerabilities an Ongoing Problem

These problems are common. According to the report, about 70% of Microsoft CVEs and of flaws in Google’s Chromium project are memory safety vulnerabilities. For Mozilla, 32 of 34 critical- or high-rated flaws fell into this category.

Such flaws – which include buffer overflows, use of uninitiated memory, and use after free – come at a cost for both the software manufacturers and their users.

“These vulnerabilities persist despite software manufacturers historically expending significant resources attempting to reduce their prevalence and impact through various methods, including analyzing, patching, publishing new code and investing in training programs for developers,” the authors wrote. “Customer organizations expend significant resources responding to these vulnerabilities through onerous patch management programs and incident response activities.”

Creating a Roadmap

The report lays out various mitigation methods used by software makers that have fallen short in stemming the problem, including developer training, code coverage, secure coding guidelines, and fuzzing to reduce the prevalence of such vulnerabilities, as well as those – such as non-executable memory, control flow integrity, and sandboxing – to reduce their impact.

That said, these efforts are still valuable, particularly as organizations undertake the shift to memory safe languages or to protect code that hasn’t yet been – or can’t be – transitioned to such languages.

CISA and the other agencies involved in the report – including the FBI and National Security Agency as well as cybersecurity agencies in the UK, Canada, Australia, and New Zealand – said organizations need to start creating a roadmap that will guide them to eventually using memory safe languages.

Doing so will let users know that the manufactures are taking ownership of security outcomes, adopting extreme transparency, and using a top-down approach, according to CISA.

In their roadmaps, organizations need to pick use cases that are appropriate for different memory safe languages, fire out how they’ll train staff on the new languages, and start with smaller projects so developers can learn new tools and processes.

They also can prioritize security-critical code, figure out how to deal with code that is bound to the CPU, plan time for developers to learn new languages and to integrate new staff.