3rd Party Risk Management , Governance & Risk Management , Security Operations

CISA Report Finds Critical Open-Source Memory Safety Risks

Report Finds Majority of Critical Open-Source Projects Use Memory-Unsafe Language
CISA Report Finds Critical Open-Source Memory Safety Risks
CISA found 52% of assessed critical open-source projects contain code written in memory-unsafe language, the report says. (Image: Shutterstock)

A majority of critical open-source projects reviewed by the Cybersecurity and Infrastructure Security Agency are coded with memory-unsafe languages, according to a new report that raises concerns that vital systems used across a variety of sectors may be vulnerable to security exploits.

See Also: Why Organizations Need Both PAM and Third-Party Security

The U.S. cyber defense agency assessed 172 projects included in a list put together by the Open Source Security Foundation's Securing Critical Projects working group. The list includes projects such as the Linux Kernel, which serves as a fundamental component of many operating systems; OpenSSL, a widely used encryption library; and Kubernetes, a container management system crucial for application deployment management.

"While adopting memory safety best practices will not fix everything in security overnight, it's an essential first step," Omkhar Arasaratnam, general manager of OpenSSF, told Information Security Media Group on Thursday. He added that memory-safe languages allow programmers to focus on producing higher-quality code "rather than perilously contending with low-level memory management."

Open-source software brings a wide range of risks, from coding flaws that can be widely accessed and exploited to a lack of regular updates, insufficient funding and inadequate oversight. The result of an exploited vulnerability in critical open-source software can be devastating, experts say: Exploits can lead to widespread data breaches, compromised infrastructure and significant financial losses (see: Experts Warn of Risks in Memory-Safe Programming Overhauls).

The report shows that many developers continue to ignore secure coding practices and fail to implement adequate security testing, which experts say could help better protect open-source software from critical threats.

At least 52% of assessed critical open-source projects contain code written in memory-unsafe language, according to the Wednesday report. CISA found that many open-source software programmers continue to employ memory-unsafe languages in operating systems kernels and drivers when "performance and resource constraints are critical factors."

Still, the agency argued that transitioning away from memory-unsafe languages can be "an effective security investment" to significantly reduce vulnerabilities and enhance system resilience.

CISA also warned that critical projects written in memory-safe languages can still "potentially contain memory safety vulnerabilities" that can be caused by direct use of memory-unsafe languages in certain components or external dependencies on projects that use memory-unsafe languages.

"These limitations highlight the need for continued diligent use of memory-safe programming languages, secure coding practices, and security testing," the report says.

The report comes after a previous joint publication from CISA, the FBI and other authorities in 2023 warned that memory safety vulnerabilities are among the most prevalent classes of software vulnerabilities and often result in costly patching, mitigation and incident response efforts (see: CISA Urges Software Developers to Prioritize Memory-Safe Coding).

But rewriting code found in legacy systems built with memory-unsafe languages such as C and C++ can be equally if not more complicated than continuing to maintain and patch legacy systems, according to Neatsun Ziv, CEO and co-founder of OX Security.

"Memory-safe languages [are] not only costly but also complex, potentially leading to disruptions in critical business operations," Ziv told ISMG. "The key challenge lies in balancing enhanced security with the financial implications."

CISA urged manufacturers to reduce memory safety vulnerabilities by continuing to transition away from unsafe-memory languages and by implementing secure coding practices and adopting routine security testing measures.

Experts also said improving software architecture and adopting safer programming languages are crucial steps to enhancing cyber resilience in critical open-source software projects.

"Memory safety has been a persistent problem for decades," Ziv said. "Fortunately, we are seeing a heightened focus on memory safety, the benefits, and ways to break down the barriers to adoption" (see: The Rise of Memory-Safe Languages in Secure Development).

CISA did not immediately return a request for comment.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.