Today, we jointly released a new Secure-by-Design publication, Exploring Memory Safety in Critical Open Source Projects, co-authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Canadian Centre for Cyber Security (CCCS).
This publication follows the December 2023 release of The Case for Memory Safe Roadmaps, which recommended software manufacturers create memory safe roadmaps, including plans to address memory safety in external dependencies, which commonly include open source software (OSS). Today’s publication provides a starting point for these roadmaps by investigating the scale of memory safety risk in selected OSS.
The publication highlights that most critical open source projects, even those written in memory-safe languages, potentially contain memory safety vulnerabilities. Successful exploitation of these types of vulnerabilities, such as buffer overflows and ‘use after free’, may allow adversaries to take control of software, systems, and data. Continued diligent use of memory safe programming languages, secure coding practices, and security testing is imperative to help mitigate these, and other limitations.
Read the full publication to explore more on memory safety in critical open source projects.
For guidance on how to create and publish memory safe roadmaps, and plan for how they will eliminate memory safety vulnerabilities, read The Case for Memory Safe Roadmaps.