Dive Brief:
- Just over half of critical open source projects are written in code using memory-unsafe languages, the FBI and Cybersecurity and Infrastructure Security Agency said in a report released Wednesday.
- The largest projects are disproportionately reliant on memory-unsafe languages, the agencies found. The report analyzed a total of 172 critical projects from the Open Source Security Foundation’s Critical Projects Working Group.
- The median proportion of memory-unsafe language across the 10 largest projects was 62.5%. Four of the top 10 have more than 94% of their code written in memory-unsafe languages.
Dive Insight:
Federal officials have been actively working to get the open source community and software industry to phase out the use of memory-unsafe languages, including C and C++. These languages are considered highly vulnerable to critical security vulnerabilities that malicious threat groups can exploit.
CISA Director Jen Easterly in 2023 called on the industry to shift to memory-safe programming languages as part of the larger effort to embrace secure-by-design development practices, so software and other technology products were less vulnerable to malicious hackers.
In February, major technology firms, including SAP, Hewlett Packard Enterprise and Palantir, backed an effort by the White House to embrace adoption of memory-safe code.
“There is no debate that a memory-safe language produces code with fewer exploitable defects,” said Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group.
The challenge is that development teams are often skilled in unsafe languages, Mackey said. Or a particular software is dependent on libraries that are not memory safe.