Security News > 2024 > July > CISA Report Finds Most Open-Source Projects Contain Memory-Unsafe Code

More than half of open-source projects contain code written in a memory-unsafe language, a report from the U.S.'s Cybersecurity and Infrastructure Security Agency has found.

"Hence, we determine that most critical open source projects analysed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities," wrote the authors.

"It would be difficult to change many of these projects to memory safe languages because it would require resources and efforts from the maintainers, to refactor/rewrite to memory safe languages. The maintainers may not have expertise in the memory safe language and even if they do, they may not be incentivized to do so, given they are largely unpaid volunteers not being compensated for the projects they've created and maintained."

The report refers to CISA's The Case for Memory Safe Roadmaps document and the Technical Advisory Council's report on memory safety for recommendations on how to reduce the prevalence of memory-unsafe languages.

An October 2022 report from Consumer Reports noted that "Roughly 60 to 70 percent of browser and kernel vulnerabilities - and security bugs found in C/C++ code bases - are due to memory unsafety." Then, the National Security Agency released guidance for how software developers could protect against memory-safety issues.

That December, CISA published The Case for Memory Safe Roadmaps and the Technical Advisory Council's report on memory safety.

News URL

https://www.techrepublic.com/article/open-source-projects-memory-unsafe-code-cisa/