CISA flags memory-unsafe code in big open source projects

TLDR:

• Study finds extensive use of memory-unsafe code in major open source projects
• Challenges in transitioning to memory-safe languages due to cost and complexity

A comprehensive study by CISA, FBI, and others revealed that over 50% of major open source projects contain memory-unsafe code, leading to common security vulnerabilities. While there have been calls for transitioning to memory-safe languages like Rust, Python, and Java, the sheer scale of codebases and the need to rewrite entire projects pose significant challenges.

Article Summary:

A recent report from CISA highlighted the alarming prevalence of memory-unsafe code in major open source projects. Despite the known security risks associated with languages like C and C++, transitioning to memory-safe languages presents significant challenges.

The report found that over half of the lines of code in major open source projects were written in memory-unsafe languages. Even projects initially written in memory-safe languages were found to be at risk due to dependencies on unsafe components.

Efforts to promote memory-safe languages have been ongoing for years, with calls for a shift to reducing vulnerabilities in modern code bases. While some progress has been made, the complete transition to memory-safe code is expected to be slow due to the costs and complexities involved.

Despite the challenges, the study emphasizes the need for continued use of memory-safe programming languages and secure coding practices to mitigate memory safety vulnerabilities in software.