Ensure Use of Memory-Safe Programming Practices
Use programming languages that prevent memory errors to enhance security in software development.
Plain language
This control is about using safe coding practices in software development to avoid common mistakes that can lead to serious security problems. If a program misuses computer memory, it might crash or let hackers mess with the program in dangerous ways. By using safer programming languages or techniques, we reduce these risks and help keep our software secure.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Memory-safe programming languages, or less preferably memory-safe programming practices, are used for software development.
Why it matters
Without memory-safe languages or practices, software is prone to buffer overflows and use-after-free bugs, enabling code execution, data theft, or system compromise.
Operational notes
Prefer memory-safe languages (e.g., Rust) for new components; for C/C++, use sanitizers, fuzzing, and strict code review of unsafe memory operations.
Implementation tips
- Software developers should select programming languages that are designed to prevent memory errors, such as Java, Python, or Rust, when starting a new project. These languages automatically manage memory, which can prevent many types of security vulnerabilities. Developers can research and choose a language that best fits the project requirements while enhancing security.
- IT managers should organise training for their team on memory-safe programming practices. This can include workshops or online courses that focus on understanding how memory errors occur and how to avoid them using safe coding techniques. Engaging a trainer with expertise in memory-safe code is a practical approach to ensure the team has the necessary skills.
- Project leaders should establish coding standards that prioritise memory safety. These standards should be integrated into the development process and include guidelines on using safe libraries and frameworks. Document these standards and ensure that all developers are familiar with and follow them.
- Quality assurance teams should incorporate static analysis tools to check the code for memory safety issues before the software is released. Tools like Clang or Coverity can be set up to automatically scan code and highlight potential problems. This step helps catch errors early in the development cycle.
- Procurement officers should ensure that external software vendors adhere to memory-safe practices. When evaluating software from other companies, include memory safety requirements in their evaluation criteria and ask vendors to provide evidence of their memory management practices.
Audit / evidence tips
-
Askthe list of programming languages used in development projects: Request a document or report detailing the programming languages chosen for each project
Goodwill show a selection of languages like Python, Java, or Rust, known for their memory safety features
-
Goodis documentation showing regular training sessions addressing memory safety
-
Askthe coding standard documents: Request the guidelines or standards documents used by developers
Goodis a comprehensive document with clear rules and examples of memory-safe code
-
Askto see the analysis results from tools like Clang or Coverity
Goodincludes recent reports showing a low number of memory-related issues and steps taken to address any that did occur
-
Askvendor compliance documentation: Request documentation from vendors showing their adherence to memory-safe practices
Goodis documentation that clearly outlines how vendors meet memory safety requirements
Cross-framework mappings
How ISM-2041 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.25 | ISM-2041 requires memory-safe languages or memory-safe programming practices as a concrete security requirement for software development | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.28 | Annex A 8.28 requires secure coding principles to be applied across software development | |
| handshake Supports (1) expand_less | ||
| Annex A 8.26 | Annex A 8.26 requires security requirements to be identified, specified and approved for applications being developed or acquired | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.