In a joint report from the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and their Canadian and Australian counterparts, experts warned that many open source programs lack sufficient protection against emerging threat actors and evolving.
In its analysis of 172 open source projects, CISA highlighted the importance of using memory-safe languages to prevent many vulnerabilities.
The report states that only half (52%) of the projects contained code written in a language that was not memory-safe.
US government stresses importance of memory-safe languages
Memory security is crucial to prevent common vulnerabilities such as buffer overflows and use-after-free errors. Popular coding languages such as Rust, Java, Goland, C#, and Python are designed to manage memory automatically, reducing the likelihood of these vulnerabilities occurring.
However, other popular languages such as C, C++, and Assembly require manual memory management, which opens the door to potential bugs.
Popular open source projects that use insecure code include Linux (comprising 95% insecure code), Tor (93%), MySQL Server (84%), and even Chromium (51%), highlighting the widespread reliance on memory-unsafe languages.
In contrast, projects like WordPress and PowerShell were found to be composed entirely of memory-safe code.
The CISA highlighted the practical challenges that developers face when it comes to using more secure languages, such as performance needs and resource limitations. However, the report acknowledges ongoing work: “Recent advances allow memory-safe programming languages, such as Rust, to parallel the performance of non-memory-safe languages.”
The joint report recommends that developers prioritize memory-safe languages for new code, as well as transition existing critical components to more secure alternatives. In addition to language selection, the agencies also emphasize the importance of following secure practices, managing dependencies properly, and performing methodical testing to identify and mitigate such security issues.
