The OpenSSF’s Memory Safety SIG has just released “The Memory Safety Continuum”. It was written with software developers, organizations, and security professionals in mind and it provides practical insights and strategies for enhancing software security whereever you are on the memory safety spectrum today.
Memory safety is crucial because it helps prevent vulnerabilities that can lead to serious security issues. In fact, technology organizations such as Microsoft and Google previously stated that software memory safety issues are behind around 70 percent of their vulnerabilities including common programming errors like buffer overflows, use-after-free bugs, and other memory corruption issues. These vulnerabilities remain a primary source of security risks, frequently exploited by attackers and posing significant threats to organizations and end-users alike.
Recognizing this, agencies around the world have released critical guidance on addressing memory safety risks. For instance:
The Communications of the ACM in 2025 published an opinion piece, signed by many co-authors, arguing that “It Is Time to Standardize Principles and Practices for Software Memory Safety”.
The OpenSSF’s Memory Safety Continuum builds upon these national and international recommendations, providing you, the developers, organizations, and technical leaders with a practical framework. Unlike treating memory safety as a binary state—achieved or not—the continuum document introduces an iterative approach. This perspective acknowledges that memory safety improvements exist on a spectrum, enabling teams to assess where they stand and define actionable steps to progress.
By promoting and exploring the continuum definition we hope that the work we published will help you navigate the complexities of addressing memory safety risks. It serves as a bridge between the high-level recommendations of CISA, NIST, and others, and the practical realities of software development. Whether transitioning to memory-safe languages or implementing mitigations for legacy systems, this document will equip you with the tools and insights needed to improve security incrementally and sustainably.
One of the standout features of “The Memory Safety Continuum” is that it was contributed by several ecosystem-specific subject matter experts (SMEs). Experts from various programming languages and ecosystems, including C++, .NET, Rust, and more, have provided their insights and expertise to make this document comprehensive and practical for a wide range of developers.
The release of “The Memory Safety Continuum” is a big step forward in making your software more secure. By following the guidelines and best practices in this document, developers and organizations can make significant strides towards creating safer software.
We encourage everyone in the software development community to check out the Memory Safety Continuum and start integrating its recommendations into your projects. Together, we can build a safer digital world.
For more info and to read the full document, visit The Memory Safety Continuum page.
Got questions or feedback? We’d love to hear from you. The Memory Safety SIG meets every other Thursday @ 13:00am EST. The invite is available on the OpenSSF Community Calendar. Read more about our work and let’s keep working together to make software safer and more secure!