Go and FIPS 140-3: Validating a Memory-Safe Module (S31a)
With decades of security vulnerabilities tied to memory-unsafe languages, memory-safe programming has become a priority for reducing security risks and enhancing productivity. Echoing this trend, the White House Office of the National Cyber Director has endorsed memory safety as a fundamental strategy to counter cyber threats.
However, achieving FIPS 140-3 compliance with a memory-safe language poses challenges, as nearly all software modules are written in C/C++ or are based on the JVM. Recently, the Go project has broken ground by seeking FIPS 140-3 validation for its standard cryptographic library—an effort that sets precedent for memory-safe languages as secure, performant, and compliant alternatives in the cryptography space.
This talk explores the hurdles the Go project faced in pursuing validation and the strategies applied to achieve compliance outside the typical C/C++ context.