Plaintext: Another Call for Moving to Memory-Safe Languages
Welcome to Dark Reading in Plaintext, brought to your inbox this week by Adaptive Shield . In this issue of Plaintext, we delve in to a new CISA report looking at the state of memory-unsafe code in open source projects. We also look at how a security veteran makes the move outside the industry. If you enjoy Plaintext, please share with friends and colleagues !
State of Memory Safety Vulnerabilities in Open Source Projects. CISA , FBI, the Australian Cyber Security Centre, and the Canadian Centre for Cyber Security released a report summarizing the results of their investigation into the use of memory-unsafe code in open source software . Fifty-two percent of the 172 major open source projects that the research authors looked at contained code written in a memory-unsafe language, such as C and C++. More than half (55%) of the total lines of code in all the projects combined were written in a memory-unsafe language, with the larger projects being the worst culprits. Also worth noting: projects written in memory-safe languages may still be exposed to memory vulnerabilities through unsafe dependencies.
Memory-unsafe programming languages allow programmers to have more direct control over memory-related functions in code, which can often lead to very common application security issues like buffer overflows and use-after-free errors. In contrast, memory-safe languages, like C#, Go, Java, Python, Rust, and Swift, handle memory management for the developer, reducing the opportunity to make these types of code errors .
Projects may be written in memory unsafe languages for a number of reasons, including the fact that a lot of existing components and codebase is already written in that language. "It would be difficult to change many of these projects to memory safe languages because it would require resources and efforts from the maintainers, to refactor/rewrite to memory safe languages," notes Chris Hughes, chief security advisor at Endor Labs and a CISA Cyber Innovation Fellow. The project maintainers may not know memory-safe languages, or the time/resources to rewrite the code. Remember, many of these projects depend on unpaid or under-compensated volunteers.
“To reduce risks, organizations need to thoroughly understand their OSS consumption as part of a broader software asset inventory.” —Chris Hughes, Endor Labs.
The joint 22-page report recommends software makers create roadmaps for transitioning to memory-safe roadmaps, including plans for addressing memory safety in external dependencies. This is the not the first time the government has urged using memory safe languages. A February 2024 technical report from the White House urged industry stakeholders to go back to the building blocks and start over with using memory safe code in all software. The US National Security Agency (NSA) urged software makers and all organizations developing software to consider adopting memory-safe languages back in 2022.
Dark Reading in Plaintext is brought to you by Adaptive Shield
Managing SaaS Security: What’s Your Maturity Level?
Read the new SaaS Security Survey Report: 2025 CISO Plans & Priorities ?to find out how your security team compares to other enterprise organizations.
Mike Rothman and the Candy Business. We normally don't track people's comings and goings in this industry, but Mike Rothman 's post over at Securosis talking about how he was leaving security to take on strategy and technology in a completely different industry caught our eye. It's classic Rothman —carefully reasoned, instructive, and funny. He steps through the POPE evaluation (People, Opportunity, Potential, and Exit) to describe his new role, and it is a good reminder to use this framework to think about opportunities that come our way. Also, all knowledge and experience can be adapted and applied to new situations, and this bit from his post really drove that point home for us: "I also leverage my experience in the security business...In the candy business you need to be prepared for a product recall. So we did a tabletop exercise working through a simulated recall scenario. The key to the exercise was having a strong playbook and making sure everyone knew their job. The recall simulation seemed so familiar, but different at the same time." Mike will still be at Black Hat for the Cloud Security Hands-On (for both AWS and Azure ) and we look forward to seeing him there.
What We Are Reading
领英推荐
What We Heard On-Air
Tune in to our on-demand webinar?“Assessing Software Supply Chain Risk .”
“Authentication and authorization in the world of API is critical.” —Jonathan Care.
From Our Library
Check out some of the latest reports from our?Dark Reading Library .
On That Note
The hours drag but the week flies. How many times have you looked at the calendar and asked yourself how was it possible that the week is already over? How many of you are startled that the first six months of 2024 are already in our rearview mirror? For the busy security professional with not enough time to keep up with the news, have you looked at Dark Reading 's CISO Corner? It is a weekly digest of what we consider as the week's most important headlines. From 5G, China, and NYSE , we got you covered.
Dark Reading in Plaintext is brought to you by Adaptive Shield
Senior Software Engineer | UI | Cybersecurity | Web | Applications | I18N | Toastmaster | Presenter | Trainer
4 个月We should not look for a single silver-bullet solution, there are so many ways to compromise a system. The UEFI hacks recently released are an example: https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/ I think that CISA and many competent guides on cybersecurity will tell you that you can't simply focus on a single area of vulnerability, but all levels of vulnerabilities, continuously upgrading the level of protection. As an application developer, yes I worry about memory safety bugs, that's why we use static and dynamic testing along with code reviews. Then I'm reminded that simple things like keeping track of versions of tools and dependencies (SBOM), ensuring the build chain is fully understood and validated, keeping lab and testing environments pristine & clean - all contribute to a successful end result. Which someone will then try an punch holes through, so we simple need to be vigilant and reactive to problems. Always. I ask that a plan for patching and upgrading be designed into the plan at the outset, so that the pain of reacting to vulnerabilities is not onerous.
Cyber/IT security and compliance specialist
4 个月Sorry to say it, but "Memory-Safe Languages" is a marketing term. "Memory-Safe Languages" implies that the safety/protection level is 100%. "Memory-Safer Languages" would be a better description. The IT security business has a bad reputation for making everything black and white, which it never is. That is why top management is always skeptical when they are told something like: "use Memory-Safe Languages". Sure these languages has their merits, but it is not black and white. AND even "Memory-Safe Languages" have flaws in their handling of memory.
[Cyber Security Expert][AI][Blockchain][Consulting] [DIFC/UAE????] [Global coverage??]Lets fix your cyber]
4 个月I’ve watched this story make the rounds so ill comment since its out there. There are open source projects like OpenBSD that put security first. Their operating system is secure by default and the software included/available has also been checked. It would not be just to label all open source software a risk. The biggest security issue seems to come from closed source code that is under pressure to release the next version when they know its not ready - following up with constant patching on a certain day of the week… The internet was built on free open source software possibly with many issues but constantly getting upgraded, many items today either started open source or run open source - even Apple has an open source website which lists many projects. Do you run Android? its open source. The answer is secure your software and systems (and processes) rather than just expect a magic solution or as CISA has called rewrite everything in rust? OpenBSD runs secure memory management, seperation, address space layout randomization, stack protector and mandatory access control its not written in rust - again its open source how far do we want to go?
Insurance and Risk management |Financial engineer | Fraud Analyst| Operational Risk| Internal Audits| Data Analysis | Tech Pathway
4 个月Very helpful!