The US government warns that important open source programs are not adequately protected
In a joint report from the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA) and its Canadian and Australian counterparts, experts have warned that many open source programs do not provide sufficient protection against emerging and evolving threat actors.
In its analysis of 172 open source projects, CISA emphasized the importance of using memory-safe languages to avoid many vulnerabilities.
The report claims that only half (52%) of projects contained code written in a memory-insecure language.
US government stresses importance of memory-safe languages
Memory safety is critical to preventing common vulnerabilities such as buffer overflows and use-after-free errors. Popular coding languages such as Rust, Java, Goland, C#, and Python are designed to automatically manage memory, reducing the likelihood of these vulnerabilities.
However, other popular languages such as C, C++, and Assembly require manual memory management, which opens the door to potential errors.
Popular open source projects using insecure code include Linux (which is 95% insecure code), Tor (93%), MySQL Server (84%), and even Chromium (51%), highlighting the widespread reliance on memory-insecure languages.
Conversely, projects like WordPress and PowerShell were found to consist of completely memory-safe code.
The CISA highlighted the practical challenges developers face when it comes to using more secure languages, such as performance needs and resource constraints. However, the report acknowledges ongoing work: “Recent developments enable memory-safe programming languages, such as Rust, to match the performance of memory-insecure languages.”
The joint report recommends that developers prioritize memory-safe languages for new code and transition critical existing components to more secure alternatives. In addition to language selection, the agencies also emphasize the importance of following secure practices, properly managing dependencies, and conducting methodical testing to identify and mitigate such security issues.