The US National Security Agency (NSA) urged developers to avoid programming languages that lack integrated memory security features.
According to the security agency, the memory management of applications is increasingly targeted by cybercriminals. Attackers can exploit application memory management problems to gain access to sensitive information and execute unauthorized code.
The NSA sees the most risks in the underlying code of applications based on traditional programming languages such as C and C++. While the languages provide a lot of freedom and flexibility, they’re error-prone in terms of memory management, according to the NSA.
Developers that use these languages typically have to perform manual controls for memory references. Small errors in this process can lead to easily exploitable memory-based vulnerabilities, the NSA said.
Moving to modern programming languages
Software analysis tools can detect errors and provide protection against such vulnerabilities. Nevertheless, code is rarely foolproof. Therefore, the NSA recommends that developers use programming languages that provide integrated memory security features and prevent the risks of manual memory management.
The NSA cited programming languages such as C#, Go, Java, Ruby, Rust and Swift. According to the NSA, these languages allow developers to solidify OS configurations and use tools for analysis more easily.
The US intelligence agency says it wants to start helping companies move from traditional programming languages to modern languages with memory security support. Further details about the initiatives are currently unknown.