The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a report examining 172 key open-source projects for their susceptibility to memory flaws. This research, conducted in collaboration with the FBI and cybersecurity agencies from Australia and Canada, reveals significant concerns about the use of memory-unsafe code in critical open-source software[1]. Key findings from the report include: 1. 52% of the analyzed critical open-source projects contain code written in memory-unsafe languages[1]. 2. 55% of the total lines of code across these projects are in memory-unsafe languages[1]. 3. Larger projects are disproportionately affected, with the ten largest projects having at least 26% of their code in memory-unsafe languages[1]. 4. The median proportion of memory-unsafe code in large projects is 62.5%, with four projects exceeding 94%[1]. 5. Even projects primarily written in memory-safe languages often depend on components using memory-unsafe code[1]. Notable examples of projects with high percentages of unsafe code include: - Linux (95%) - Tor (93%) - MySQL Server (84%) - glibc (85%) - Redis (85%) - SystemD (65%) - Chromium (51%) - Electron (47%)[1] CISA acknowledges that developers often face challenges that necessitate the use of memory-unsafe languages, particularly for low-level functionalities like networking, cryptography, and operating system functions. Performance requirements and resource constraints are cited as primary factors[1]. To address these issues, CISA recommends: 1. Writing new code in memory-safe languages such as Rust, Java, and Go[1]. 2. Transitioning existing projects, especially critical components, to memory-safe languages[1]. 3. Following safe coding practices[1]. 4. Carefully managing and auditing dependencies[1]. 5. Performing continuous testing, including static analysis, dynamic analysis, and fuzz testing[1]. This report underscores the ongoing challenges in software development and the importance of prioritizing memory safety in critical open-source projects to enhance overall cybersecurity. Citations: [1] https://lnkd.in/gBpinEeJ [2] https://lnkd.in/eu9ZfXZx [3] https://lnkd.in/gV2yyEgA [4] https://lnkd.in/gKqqUgTW [5] https://lnkd.in/g4sEYwqu
Peter Makohon’s Post
More Relevant Posts
-
"We're missing what the center mass is in information security." BHIS' John Strand reacting to CISA's latest research on critical open-source projects' susceptibility to memory flaws, and which languages are optimized to reduce them, backing up their previous "Case for Memory-Safe Roadmaps." Bill Toulas breaks it down in his Bleeping Computer piece. CISA's bottom line is that devs should be utilizing memory-safe code to reduce vulnerabilities like buffer overflows [covered in Sec+] and use-after-free [UAF], new to me, which I read is simply when a program continues to use a memory location after it has been freed or deallocated. NordVPN gave two examples. Double free is when the program attempts to free a memory block that has already been freed, causing memory corruption which leads to unpredictable behavior. Dangling pointer is a pointer that still points to a memory location even after it has been freed. This potentially allows an attacker to manipulate the data in that location, which sounds like a useable threat actor exploit. CISA calls out a few memory-unsafe languages, including the second- and third-most-used C++ and C. This is where the report clashed with the practical experience of John Strand and the Talkin' 'Bout InfoSec News podcast crew on July 1. They concluded the study deflected attention from the real issues in cybersecurity. I learned that Windows and Linux utilize C, so it sounds like re-coding everything in Rust or Python is beyond infeasible, and the panel agreed that "what CISA should be spending its time on... is teaching people to patch their [systems.]" These recommendations can be off-putting to cybersecurity veterans like Strand who have dealt with memory issues in Java in the past. "If something's written in C therefore it's inherently insecure from a memory perspective, 'here use Java,' you just basically shut off like 50% of the security community because, let's be honest, for a while Java was having... all of these different compression/decompression algorithms inside of Java... just blowing up with vulnerabilities all over the place so this doesn't help anything." The big breaches today are social engineering, patch management and business logic flaws. Programming language doesn't matter as much when a threat actor can pick up the phone and reset the IT admin's help desk MFA tokens. I like Strand's solution, "what their initiative... should be [is] going town-to-town setting up big pizza gatherings handing out beer and just saying 'hey can we talk to you a little bit about our Lord and Savior Computer Security?' and really try to get the word out there as much as we can."
CISA: Most critical open source projects not using memory safe code
bleepingcomputer.com
To view or add a comment, sign in
-
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published an insightful report in collaboration with the FBI, Australian organizations (ASD, ACSC) and Canadian organizations (CCCS). This research delves into 172 key open-source projects to assess their susceptibility to memory flaws. This report emphasizes the significance of memory safety in programming languages by highlighting the prevalence of memory-related errors like buffer overflows and use-after-free occurrences. Memory-safe languages, exemplified by Rust's borrow checker, automate memory management to prevent such errors, unlike memory-unsafe languages like C and C++ that burden developers with manual memory allocation responsibilities. Key findings from the report reveal that over half of the critical open-source projects analyzed contain code written in memory-unsafe languages. Astonishingly, 55% of the total lines of code across these projects are composed in memory-unsafe languages. Notably, even projects developed in memory-safe languages often rely on components written in memory-unsafe languages, underscoring the pervasive nature of this issue. This research sheds light on the critical need for implementing memory-safe practices in software development to enhance cybersecurity and mitigate vulnerabilities. Stay informed about the evolving landscape of cybersecurity to safeguard against potential threats. #Cybersecurity #MemorySafety #OpenSourceProjects #CISA #FBI #ASD #ACSC #CCCS #ProgrammingLanguages
CISA: Most critical open source projects not using memory safe code
bleepingcomputer.com
To view or add a comment, sign in
-
Memory-Safe Code: A Cybersecurity Must [#CyberSecurity #OpenSource] 🔐 Key Findings from the CISA Report: - Only 25% of critical open-source projects utilize memory-safe code. - Memory-unsafe codes like C and C++ still dominate, posing security risks such as buffer overflows. The urgency for open-source maintainers to adopt memory-safe coding practices is clearer than ever to fortify cybersecurity defenses. ✨ Do you think transitioning to memory-safe languages is feasible for most open-source projects? How can the cybersecurity community support this shift? #SoftwareDevelopment #DataSecurity #TechLeaders #InfoSec #Programming Explore the full analysis here: https://lnkd.in/gr273qsk
CISA: Most critical open source projects not using memory safe code
bleepingcomputer.com
To view or add a comment, sign in
-
Memory Safety in Open Source: A CISA Alert [#CyberSecurity #OpenSource] 🚨 Key Facts: - 83% of critical open-source projects use memory-unsafe languages. - Only 17% employ memory-safe languages, reducing risk of buffer overflows. CISA's report underscores the importance of memory safety in preventing cybersecurity vulnerabilities across open-source projects. 🔍 Do you think switching to memory-safe languages is feasible for most open-source initiatives? What barriers could they face? #CyberRisk #SoftwareDevelopment #Programming #TechNews #InfoSec Here’s the full story for more details: https://lnkd.in/gr273qsk
CISA: Most critical open source projects not using memory safe code
bleepingcomputer.com
To view or add a comment, sign in
-
Proud to see Snyk's new State of Open Source Security Report featured in Forbes! Some notable quotes; "Code review can’t be a last step on the checklist. The volume and velocity of code is too overwhelming and with DevSecOps culture the development lifecycle is continuous." "Only 40% of the organizations surveyed are not using software composition analysis (SCA) or static application security testing (SAST) tools—and even fewer have adopted cloud-native security measures like configuration checks for infrastructure-as-code tools." "While more than 3/4 of respondents expressed optimism that these tools have improved code security, almost 60% are concerned that AI tools will introduce security vulnerabilities into code, and half are concerned that AI might introduce licensing violations." #devsecops #opensource #supplychainsecurity
New Report Highlights Gaps In Code Security Practices And Tools
forbes.com
To view or add a comment, sign in
-
Open Source Security & Policy Leader | OpenSSF Board | Caretaker of Maven Central | Apache Software Foundation Member | Forbes Member | Co-Founder & CTO Sonatype
This article delves into the critical topic of open-source supply chain security. With vulnerabilities like Log4j shining a spotlight on the OSS community, misconceptions about it have surfaced. Contrary to popular belief, open source isn't "amateur hour"—it's driven by some of the world's most talented and passionate developers. Additional Key Highlights: Supply Chain Integrity: Accountability in software supply chains is paramount—everyone, from developers to end-users, shares responsibility for security. Proper tooling, like SBOMs, is essential to manage and mitigate risks effectively. Efficiency AND Security: Prioritizing security doesn’t slow down development. In fact, high-performing teams excel in both speed and security. Understanding and leveraging open source responsibly can lead to innovation without compromising security. https://lnkd.in/evYjwQBi
Closing the door on open source supply chain attacks
techradar.com
To view or add a comment, sign in
-
A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software (OSS) projects. #cybersecurity #cisa #oss #opensource
CISA's Flags Memory-Unsafe Code in Major Open Source Projects
darkreading.com
To view or add a comment, sign in
-
Serverless functions hold a lot of promise, but it’s not without its perils. Join Janet Costello Worthington Worthington in Sydney at #ForrTech APAC to explore what your organization can do to strengthen its application security.
Serverless Functions Hold A Lot Of Promise … And Potential Security Flaws
forrester.smh.re
To view or add a comment, sign in
-
Serverless functions hold a lot of promise, but it’s not without its perils. Join Janet Worthington in Sydney at #ForrTech APAC to explore what your organization can do to strengthen its application security.
Serverless Functions Hold A Lot Of Promise … And Potential Security Flaws
forrester.smh.re
To view or add a comment, sign in
-
Serverless functions hold a lot of promise, but it’s not without its perils. Join Janet Worthington in Sydney at #ForrTech APAC to explore what your organization can do to strengthen its application security.
Serverless Functions Hold A Lot Of Promise … And Potential Security Flaws
forrester.smh.re
To view or add a comment, sign in