Skip to main content

📣 Submit your proposal: OpenSSF Community Days: Japan | India | Europe

search

Announcing the Release of “The Memory Safety Continuum”

By April 28, 2025Blog, Guest Blog
MemorySafetyContinuum

By Avishay Balter and Nell Shamrell-Harrington

The OpenSSF’s Memory Safety SIG has just released “The Memory Safety Continuum”. It was written with software developers, organizations, and security professionals in mind and it provides practical insights and strategies for enhancing software security wherever you are on the memory safety spectrum today.

Why Memory Safety Matters 

Memory safety is crucial because it helps prevent vulnerabilities that can lead to serious security issues. In fact, technology organizations such as Microsoft and Google previously stated that software memory safety issues are behind around 70 percent of their vulnerabilities including common programming errors like buffer overflows, use-after-free bugs, and other memory corruption issues. These vulnerabilities remain a primary source of security risks, frequently exploited by attackers and posing significant threats to organizations and end-users alike.

Recognizing this, agencies around the world have released critical guidance on addressing memory safety risks. For instance: 

  • U.S. CISA together with the FBI, the Australian Cyber Security Centre and the Canadian Centre for Cyber Security highlight in their case studies that memory safety vulnerabilities constitute a significant proportion of disclosed software weaknesses. These documents encourage software manufacturers to prioritize mitigating or eliminating such vulnerabilities in their products.
  • NIST’s recommendations emphasize adopting safer programming languages, stating that this approach can prevent entire classes of security issues.
  • A roadmap created by top cybersecurity agencies highlights the need to switch to memory safe programming languages.
  • A chapter on memory safety in CISA and the FBI’s Product Security Bad Practices document outlines the dangers of using memory-unsafe languages for critical infrastructure.
  • The Communications of the ACM in 2025 published an opinion piece, signed by many co-authors, arguing that “It Is Time to Standardize Principles and Practices for Software Memory Safety“.

How “The Memory Safety Continuum” Can Help 

The OpenSSF’s Memory Safety Continuum builds upon these national and international recommendations, providing you, the developers, organizations, and technical leaders with a practical framework. Unlike treating memory safety as a binary state—achieved or not—the continuum document introduces an iterative approach. This perspective acknowledges that memory safety improvements exist on a spectrum, enabling teams to assess where they stand and define actionable steps to progress.

By promoting and exploring the continuum definition we hope that the work we published will help you navigate the complexities of addressing memory safety risks. It serves as a bridge between the high-level recommendations of CISA, NIST, and others, and the practical realities of software development. Whether transitioning to memory-safe languages or implementing mitigations for legacy systems, this document will equip you with the tools and insights needed to improve security incrementally and sustainably.

Contributions from Ecosystem Experts 

One of the standout features of “The Memory Safety Continuum” is that it was contributed by several ecosystem-specific subject matter experts (SMEs). Experts from various programming languages and ecosystems, including C++, .NET, Rust, and more, have provided their insights and expertise to make this document comprehensive and practical for a wide range of developers.

What’s Next? 

The release of “The Memory Safety Continuum” is a big step forward in making your software more secure. By following the guidelines and best practices in this document, developers and organizations can make significant strides towards creating safer software. 

We encourage everyone in the software development community to check out the Memory Safety Continuum and start integrating its recommendations into your projects. Together, we can build a safer digital world.

For more info and to read the full document, visit The Memory Safety Continuum page.

Got questions or feedback? We’d love to hear from you.

The Memory Safety SIG meets every other Thursday @ 13:00am EST. The invite is available on the OpenSSF Community Calendar.

Read more about our work and let’s keep working together to make software safer and more secure!

Authors

AvishayAvishay Balter is a Principal SWE Lead at Microsoft with nearly 20 years of experience in building cutting-edge software and leading high-performing engineering teams. Deeply involved in the open-source community as a co-chair of the Open-Source Security Foundation (OpenSSF) Best Practices WG and Memory Safety SIG

NellNell Shamrell-Harrington is a Principal Engineer at Microsoft working in Azure. Chair of the Rust Foundation Board. Co-chair of the OpenSSF Memory Safety SIG. Lead editor of This Week in Rust. Long time open source contributor, maintainer, and leader. Outside of work, Nell enjoys raising pet bunnies and fostering a variety of critters! 

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved
Close Menu