Peter Makohon’s Post

"We're missing what the center mass is in information security." BHIS' John Strand reacting to CISA's latest research on critical open-source projects' susceptibility to memory flaws, and which languages are optimized to reduce them, backing up their previous "Case for Memory-Safe Roadmaps." Bill Toulas breaks it down in his Bleeping Computer piece. CISA's bottom line is that devs should be utilizing memory-safe code to reduce vulnerabilities like buffer overflows [covered in Sec+] and use-after-free [UAF], new to me, which I read is simply when a program continues to use a memory location after it has been freed or deallocated. NordVPN gave two examples. Double free is when the program attempts to free a memory block that has already been freed, causing memory corruption which leads to unpredictable behavior. Dangling pointer is a pointer that still points to a memory location even after it has been freed. This potentially allows an attacker to manipulate the data in that location, which sounds like a useable threat actor exploit. CISA calls out a few memory-unsafe languages, including the second- and third-most-used C++ and C. This is where the report clashed with the practical experience of John Strand and the Talkin' 'Bout InfoSec News podcast crew on July 1. They concluded the study deflected attention from the real issues in cybersecurity. I learned that Windows and Linux utilize C, so it sounds like re-coding everything in Rust or Python is beyond infeasible, and the panel agreed that "what CISA should be spending its time on... is teaching people to patch their [systems.]" These recommendations can be off-putting to cybersecurity veterans like Strand who have dealt with memory issues in Java in the past. "If something's written in C therefore it's inherently insecure from a memory perspective, 'here use Java,' you just basically shut off like 50% of the security community because, let's be honest, for a while Java was having... all of these different compression/decompression algorithms inside of Java... just blowing up with vulnerabilities all over the place so this doesn't help anything." The big breaches today are social engineering, patch management and business logic flaws. Programming language doesn't matter as much when a threat actor can pick up the phone and reset the IT admin's help desk MFA tokens. I like Strand's solution, "what their initiative... should be [is] going town-to-town setting up big pizza gatherings handing out beer and just saying 'hey can we talk to you a little bit about our Lord and Savior Computer Security?' and really try to get the word out there as much as we can."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published an insightful report in collaboration with the FBI, Australian organizations (ASD, ACSC) and Canadian organizations (CCCS). This research delves into 172 key open-source projects to assess their susceptibility to memory flaws. This report emphasizes the significance of memory safety in programming languages by highlighting the prevalence of memory-related errors like buffer overflows and use-after-free occurrences. Memory-safe languages, exemplified by Rust's borrow checker, automate memory management to prevent such errors, unlike memory-unsafe languages like C and C++ that burden developers with manual memory allocation responsibilities. Key findings from the report reveal that over half of the critical open-source projects analyzed contain code written in memory-unsafe languages. Astonishingly, 55% of the total lines of code across these projects are composed in memory-unsafe languages. Notably, even projects developed in memory-safe languages often rely on components written in memory-unsafe languages, underscoring the pervasive nature of this issue. This research sheds light on the critical need for implementing memory-safe practices in software development to enhance cybersecurity and mitigate vulnerabilities. Stay informed about the evolving landscape of cybersecurity to safeguard against potential threats. #Cybersecurity #MemorySafety #OpenSourceProjects #CISA #FBI #ASD #ACSC #CCCS #ProgrammingLanguages

Memory-Safe Code: A Cybersecurity Must [#CyberSecurity #OpenSource] 🔐 Key Findings from the CISA Report: - Only 25% of critical open-source projects utilize memory-safe code. - Memory-unsafe codes like C and C++ still dominate, posing security risks such as buffer overflows. The urgency for open-source maintainers to adopt memory-safe coding practices is clearer than ever to fortify cybersecurity defenses. ✨ Do you think transitioning to memory-safe languages is feasible for most open-source projects? How can the cybersecurity community support this shift? #SoftwareDevelopment #DataSecurity #TechLeaders #InfoSec #Programming Explore the full analysis here: https://lnkd.in/gr273qsk

Memory Safety in Open Source: A CISA Alert [#CyberSecurity #OpenSource] 🚨 Key Facts: - 83% of critical open-source projects use memory-unsafe languages. - Only 17% employ memory-safe languages, reducing risk of buffer overflows. CISA's report underscores the importance of memory safety in preventing cybersecurity vulnerabilities across open-source projects. 🔍 Do you think switching to memory-safe languages is feasible for most open-source initiatives? What barriers could they face? #CyberRisk #SoftwareDevelopment #Programming #TechNews #InfoSec Here’s the full story for more details: https://lnkd.in/gr273qsk

Proud to see Snyk's new State of Open Source Security Report featured in Forbes! Some notable quotes; "Code review can’t be a last step on the checklist. The volume and velocity of code is too overwhelming and with DevSecOps culture the development lifecycle is continuous." "Only 40% of the organizations surveyed are not using software composition analysis (SCA) or static application security testing (SAST) tools—and even fewer have adopted cloud-native security measures like configuration checks for infrastructure-as-code tools." "While more than 3/4 of respondents expressed optimism that these tools have improved code security, almost 60% are concerned that AI tools will introduce security vulnerabilities into code, and half are concerned that AI might introduce licensing violations." #devsecops #opensource #supplychainsecurity

This article delves into the critical topic of open-source supply chain security. With vulnerabilities like Log4j shining a spotlight on the OSS community, misconceptions about it have surfaced. Contrary to popular belief, open source isn't "amateur hour"—it's driven by some of the world's most talented and passionate developers. Additional Key Highlights: Supply Chain Integrity: Accountability in software supply chains is paramount—everyone, from developers to end-users, shares responsibility for security. Proper tooling, like SBOMs, is essential to manage and mitigate risks effectively. Efficiency AND Security: Prioritizing security doesn’t slow down development. In fact, high-performing teams excel in both speed and security. Understanding and leveraging open source responsibly can lead to innovation without compromising security. https://lnkd.in/evYjwQBi

A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software (OSS) projects. #cybersecurity #cisa #oss #opensource

Serverless functions hold a lot of promise, but it’s not without its perils. Join Janet Costello Worthington Worthington in Sydney at #ForrTech APAC to explore what your organization can do to strengthen its application security.

Serverless functions hold a lot of promise, but it’s not without its perils. Join Janet Worthington in Sydney at #ForrTech APAC to explore what your organization can do to strengthen its application security.

Serverless functions hold a lot of promise, but it’s not without its perils. Join Janet Worthington in Sydney at #ForrTech APAC to explore what your organization can do to strengthen its application security.