Most open source projects fail to use memory-safe programming languages – and CISA says that needs to change

Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.
(Image credit: Getty Images)

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that most critical open source projects are failing to use memory-safe programming languages.

In a joint report with the FBI, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, CISA analyzed 172 projects derived from the OpenSSF Securing Critical Projects Working Group’s List of Critical Projects.

The probe found that more than half (52%) of the projects contain code written in memory-unsafe languages, requiring manual management of memory, and increasing the risk of errors that can lead to security vulnerabilities.

The same was true of 55% of the total lines of code for all projects.

Some of the largest projects were more likely to be written in memory-unsafe languages, CISA found. The 10 largest projects were found to have a median of 62.5% of their code written in memory-unsafe languages, and four projects topping 94%.

Meanwhile, a dependency analysis of three projects written in memory-safe languages revealed that all of them depended on other components written in unsafe languages.

"Most critical open source projects, even those written in memory-safe languages, potentially contain memory safety vulnerabilities,” the Australian Cyber Security Centre said.

“Successful exploitation of these types of vulnerabilities, such as buffer overflows and ‘use after free’, may allow adversaries to take control of software, systems, and data.”.

"Continued diligent use of memory safe programming languages, secure coding practices, and security testing is imperative to help mitigate these, and other limitations."

The report urged organizations to transition existing projects to memory-safe programming languages and make sure that new projects use them from the start.

The report also called for more research and collaboration to improve understanding and mitigate risks.


"To reduce risks, organizations need to thoroughly understand their OSS consumption as part of a broader software asset inventory,” said Chris Hughes, chief security advisor at open source security company Endor Labs, and Cyber Innovation Fellow at the CISA

“Furthermore, organizations should understand the classes of vulnerabilities and how they are categorized, and make efforts to shift internally to memory safe languages and adopt secure coding practices.

"They can also ask for transparency from their software suppliers to understand the risks in the software and products they consume when it comes to OSS."

However, Tim Mackey, head of software supply chain risk at Synopsys Software Integrity Group, said most software was written before memory-safe languages were invented, and development teams lack the requisite skills.

"Converting a major application from using one language to another is costly, likely requiring the team to support multiple major development streams for an extended period of time while feature parity between the two versions is achieved, and may implicitly require that many of the original contributors retire from the project unless they are willing to learn the new programming language."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.