Third Party Risk Management, Governance and Risk Management, Security Operations
Report finds majority of important open source projects use memory-unsafe languages
Chris Liotta (Chris Liotta) •
June 27, 2024
A majority of important open source projects surveyed by the Cybersecurity and Infrastructure Security Agency were coded in memory-unsafe languages, a new report has found, raising concerns that critical systems used in a range of sectors may contain security vulnerabilities.
reference: Overview of global threats for 2024
The U.S. cyber defense agency evaluated 172 projects included in a list compiled by the Open Source Security Foundation’s Securing Critical Projects Working Group. The list includes projects such as the Linux kernel, which serves as a fundamental component of many operating systems, OpenSSL, a widely used cryptography library, and Kubernetes, a container management system that is essential for managing the deployment of applications.
“Adopting memory safety best practices won’t solve all your security problems, but it’s an important first step,” Omkhar Arasaratnam, general manager of the OpenSSF, told Information Security Media Group on Thursday. He added that memory-safe languages allow programmers to focus on writing higher quality code “instead of risking their way through low-level memory management.”
Open source software carries a variety of risks, from coding flaws that can be widely accessed and exploited, to lack of regular updates, inadequate funding, and inadequate oversight. If exploited, vulnerabilities in critical open source software could have devastating consequences, experts say. Misuse could lead to widespread data breaches, infrastructure compromise, and huge financial losses (see: Experts warn of risks to overhauling memory-safe programming).
Reports show While many developers continue to ignore secure coding practices and fail to conduct proper security testing, experts say security testing could help better protect open source software from serious threats.
At least 52 percent of critical open source projects assessed contain code written in memory-unsafe languages, according to Wednesday’s report. CISA found that many open source software programmers continue to use memory-unsafe languages in operating system kernels and drivers where “performance and resource constraints are key factors.”
Still, the agency argued that moving away from memory-unsafe languages could be an “effective security investment” to significantly reduce vulnerabilities and make systems more resilient.
CISA also warned that critical projects written in memory-safe languages may still have “potential memory safety vulnerabilities” that arise from the direct use of memory-unsafe languages in certain components, or from having external dependencies on projects that use memory-unsafe languages.
“These limitations highlight the need for continued and diligent use of memory-safe programming languages, secure coding practices, and security testing,” the report said.
The report follows a joint report released in 2023 by CISA, the FBI and other agencies which warned that memory safety vulnerabilities are among the most common types of software vulnerabilities and are often costly to patch, mitigate and respond to incidents (see: CISA Urges Software Developers to Prioritize Memory-Safe Coding).
But rewriting code for legacy systems built in memory-unsafe languages like C and C++ can be just as complicated, or even more complicated, than continuing to maintain and patch the legacy systems, according to Neatsun Ziv, CEO and co-founder of OX Security.
“Memory-safe languages [are] “Not only is it costly, it’s complex and can disrupt critical business operations,” Ziv told ISMG. “The key challenge is balancing the increased security with the financial impact.”
CISA urged manufacturers to continue migrating away from insecure memory languages, implement secure coding practices, and adopt regular security testing measures to reduce memory safety vulnerabilities.
The experts also said improving software architecture and adopting more secure programming languages were important steps to strengthening cyber-resilience in critical open source software projects.
“Memory safety has been a persistent problem for decades,” says Ziv. “Fortunately, there is growing attention being paid to memory safety, its benefits, and ways to break down the barriers to adoption.” (References: The Rise of Memory-Safe Languages in Secure Development).
CISA did not immediately respond to a request for comment.