Is explicitly clearing/zeroing sensitive variables after use sensible?

Question

I have noticed some programs explicitly zero sensitive memory allocations after use. For example, OpenSSL has a method to clear the memory occupied by an RSA key:

\"

Answer 1

From a security standpoint, your memory might contain data that you would not like to linger around. If the process crashes and the core file will have the complete dump of the memory. It is possible to dig into those core files and mine data. For a support call, if you have to send that core file, you would feel safer if the memory is sanitized after use. When I worked on VMS, some sensitive customers would refrain from even giving us the dump files (making this extremely difficult to debug).