A new report from CISA, the FBI, the Australian Cyber Security Centre (ACSC), and the Canadian Centre for Cyber Security (CCCS) analyzed 172 critical OpenSSF projects and found that 52% of them contain code written in a memory-unsafe language.

The report also found that 55% of the total lines of code for all projects were written in a memory-unsafe language. 

According to the report, memory-unsafe languages — such as C or C++ — place the responsibility of managing memory use and allocation on developers, which can lead to memory-safety vulnerabilities like buffer overflows and use after free if they make a mistake. Memory-safe languages shift that responsibility to the compiler or interpreter and can significantly reduce the opportunity to introduce memory-safety vulnerabilities, which have led to vulnerabilities like Morris Worm, Slammer Worm, Heartbleed, and BLASTPASS. 

“By using memory-safe languages, programmers can focus on producing higher-quality code rather than perilously contending with low-level memory management,” said Omkhar Arasaratnam, GM at the OpenSSF.

This new report follows the White House Office of the National Cyber Director’s (ONCD) call earlier this year on technology leaders to adopt memory-safe languages. 

“We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory safe programming languages,” said National Cyber Director Harry Coker at the time.  

According to Chris Hughes, CISSP, chief security advisor at Endor Labs and Cyber Innovation Fellow at CISA, one of the reasons why so many projects are written in memory-unsafe languages is that for many years those languages were widely adopted and it’s only been recently that there’s been a move to encourage developers to utilize memory-safe languages. 

He explained that it will be difficult to transition existing projects to memory-safe languages because of the resources, effort, and expertise required, which maintainers of the projects may not have.  

“That said, there are also opportunities for organizations to help facilitate the transition through resources including monetary incentives, as well as potentially development support to facilitate the transition,” said Hughes. “Of course, there still remains issues with third-party and transitive dependencies as discussed in the report, meaning even if the projects were re-written, they would need to conduct dependency analysis and ensure that transitive dependencies are also accounted for when it comes to memory safety. Lastly, efforts would need to be made to ensure the developers and maintainers implement secure coding practices to ensure memory safety safeguards aren’t undermined.”


You may also like…

White House recommends software be written in memory safe languages to improve cybersecurity

Are developers and DevOps converging?