Skip to content
arrow_back
ISM-2041
search
ISM-2041 policy ASD Information Security Manual (ISM)

Ensure Use of Memory-Safe Programming Practices

Use programming languages that prevent memory errors to enhance security in software development.

Preventative NC OS P ASD Information Security ManualGuidelines for software developmentapplication securitysecure codingsoftware development
record_voice_over

Plain language

This control is about using safe coding practices in software development to avoid common mistakes that can lead to serious security problems. If a program misuses computer memory, it might crash or let hackers mess with the program in dangerous ways. By using safer programming languages or techniques, we reduce these risks and help keep our software secure.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

May 2025

Control Stack last updated

19 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Secure Software Development

Official control statement

Memory-safe programming languages, or less preferably memory-safe programming practices, are used for software development.
policy ASD Information Security Manual (ISM) ISM-2041
priority_high

Why it matters

Without memory-safe languages or practices, software is prone to buffer overflows and use-after-free bugs, enabling code execution, data theft, or system compromise.

settings

Operational notes

Prefer memory-safe languages (e.g., Rust) for new components; for C/C++, use sanitizers, fuzzing, and strict code review of unsafe memory operations.

build

Implementation tips

  • Software developers should select programming languages that are designed to prevent memory errors, such as Java, Python, or Rust, when starting a new project. These languages automatically manage memory, which can prevent many types of security vulnerabilities. Developers can research and choose a language that best fits the project requirements while enhancing security.
  • IT managers should organise training for their team on memory-safe programming practices. This can include workshops or online courses that focus on understanding how memory errors occur and how to avoid them using safe coding techniques. Engaging a trainer with expertise in memory-safe code is a practical approach to ensure the team has the necessary skills.
  • Project leaders should establish coding standards that prioritise memory safety. These standards should be integrated into the development process and include guidelines on using safe libraries and frameworks. Document these standards and ensure that all developers are familiar with and follow them.
  • Quality assurance teams should incorporate static analysis tools to check the code for memory safety issues before the software is released. Tools like Clang or Coverity can be set up to automatically scan code and highlight potential problems. This step helps catch errors early in the development cycle.
  • Procurement officers should ensure that external software vendors adhere to memory-safe practices. When evaluating software from other companies, include memory safety requirements in their evaluation criteria and ask vendors to provide evidence of their memory management practices.
fact_check

Audit / evidence tips

  • AskThe list of programming languages used in development projects: Request a document or report detailing the programming languages chosen for each project GoodWill show a selection of languages like Python, Java, or Rust, known for their memory safety features
  • GoodIs documentation showing regular training sessions addressing memory safety
  • AskThe coding standard documents: Request the guidelines or standards documents used by developers GoodIs a comprehensive document with clear rules and examples of memory-safe code
  • AskTo see the analysis results from tools like Clang or Coverity GoodIncludes recent reports showing a low number of memory-related issues and steps taken to address any that did occur
  • AskVendor compliance documentation: Request documentation from vendors showing their adherence to memory-safe practices GoodIs documentation that clearly outlines how vendors meet memory safety requirements
link

Cross-framework mappings

How ISM-2041 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.25 ISM-2041 requires memory-safe languages or memory-safe programming practices as a concrete security requirement for software development
sync_alt Partially overlaps (1) expand_less
Annex A 8.28 Annex A 8.28 requires secure coding principles to be applied across software development
handshake Supports (1) expand_less
Annex A 8.26 Annex A 8.26 requires security requirements to be identified, specified and approved for applications being developed or acquired

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls