Blog Security How to secure memory-safe vs. manually managed languages
2023-03-14
2 min read

How to secure memory-safe vs. manually managed languages

Learn how GitLab reduces source code risk using scanning, vulnerability management, and other key features.

securityscreen.jpg
fjdiaz-headshot Fernando Diaz
security devsecops tutorial

The National Security Agency (NSA) has published an executive summary showcasing the
risk of using manually managed languages over memory-safe languages in application
development. Manual memory management may introduce major bugs and security risks into your application if
the memory is managed incorrectly.

Security bugs introduced by manually managed languages can be catastrophic to the function of the
application, as well as the information contained in the application. These bugs may cause
performance slowdowns, application crashes, remote code execution, information leakage, and
system failures.

Bugs that may be introduced include the following:

  • Memory leak: Memory no longer being used is not released, which reduces the amount of available memory.
  • Buffer overflow: Overwriting of memory locations adjacent to a buffers boundary.
  • Segmentation fault: An application tries to access a restricted piece of memory.
  • Wild pointers: Pointer points to the memory which has been deallocated.
  • Undefined behavior: An application with unpredictable behavior.

To provide some insight on the prevalance of risk introduced by manually managed languages, Microsoft
revealed that within the span of 12 years, 70% of their vulnerabilities were due to mismanagement of memory.
Google reported that there was a similar percentage of vulnerabilities introduced by memory safety
violations within the Chrome browser.

All these vulnerabilities can be exploited by malicious actors who may compromise a device, potentially leading to a compromise of a larger network infrastructure. With this large risk presented by mismanaged memory,
the NSA advises organizations to consider using memory-safe languages wherever possible and providing
mechanisms to harden applications built with manually managed languages.

Memory-safe languages vs. manually managed languages

A memory-safe language is a language where memory allocation and garbage collection are abstracted away from
the developer and handled by the programming language itself. These languages include Python, Java, and Go,
to name a few.

In contrast, manually managed languages provide a developer with full control over the system memory (with some exceptions).
The most popular manually managed languages are C and C++.

Each language type has a purpose and use case. There are times when a memory-safe language is recommended, but there are also
times when it may not suit the application requirements.

Below is a list of some pros and cons of each language type:

Language type Pros Cons

More to explore

View all blog posts
Security
securitycheck.png

Tips to configure browser-based DAST scans

Security
securitycheck.png

Enterprise-scale security and compliance policy management in the AI era

Security
securityscreen.jpg

GitLab’s response to a high severity vulnerability impacting curl and libcurl

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert