Adrian Johnson
TLDR:
- CISA analyzed critical open source projects and found memory safety risks due to code in C/C++
- Memory safety vulnerabilities can lead to exploitation and control of software and data
CISA, along with other cybersecurity agencies, conducted a study on 172 critical open source projects and discovered that over half of them contained code written in languages like C and C++ that are not naturally memory safe. The report, titled “Exploring Memory Safety in Critical Open Source Projects,” highlights the risks associated with memory-unsafe languages that require proper memory management, leading to vulnerabilities like buffer overflows and use-after-free errors. Memory-safe languages like C#, Go, Java, Python, Rust, and Swift are recommended to reduce memory safety risks.
The report emphasizes the importance of rewriting critical components in memory-safe languages to mitigate risks, as even projects in memory-safe languages can be vulnerable to memory safety bugs through dependencies. It notes that companies like Google and Microsoft are moving towards memory-safe languages, with Rust gaining popularity for its memory safety guarantees. However, the transition to memory-safe languages may take time, and in the interim, static code analysis and fuzzing tools are recommended to address memory-safety risks.
Overall, the report urges organizations to consider the adoption of memory-safe languages to enhance software security and safety. With the rise of memory safety concerns in the technical community, it is essential for developers and C-level executives to prioritize memory safety considerations when selecting programming languages.
