Vulnerable and unsafe programming codes prevalent in key open-source initiatives
In a joint report released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday, more than half of critical open source projects were found to be written in memory-unsafe languages, such as C and C++. This revelation has sparked a call to action from federal officials and industry leaders, aiming to transition these projects towards memory-safe programming languages (MSLs) to enhance cybersecurity and national security.
The federal government is taking decisive steps to promote this shift. The Biden administration, through the White House's America's AI Action Plan (2025), emphasizes secure software development practices, encouraging the use of memory-safe languages to better secure AI systems and software supply chains.
CISA and the National Security Agency (NSA) have also joined forces, publishing guides such as "The Case for Memory Safe Roadmaps," advocating for the adoption of MSLs as a proactive cybersecurity measure. Their Secure by Design program integrates software security throughout the development lifecycle with a focus on MSLs to reduce memory safety vulnerabilities.
CISA repeatedly issues cybersecurity advisories highlighting the risks stemming from memory safety vulnerabilities, often exploited by ransomware and cyber threat actors. These advisories reinforce the need for memory-safe programming in light of the potential security risks associated with memory corruption vulnerabilities common in C and C++.
Industry cybersecurity leaders and developers are being urged to understand when MSLs are appropriate and how to adopt them effectively. This includes reducing vulnerabilities in open source projects and software widely used by government and critical infrastructure.
The shift towards MSLs is not without its challenges. Some software may depend on libraries that are not memory safe, posing a potential roadblock in the transition process.
Despite the challenges, major technology firms, including SAP, Hewlett Packard Enterprise, and Palantir, have backed the White House's effort to embrace adoption of memory-safe code. CISA Director Jen Easterly called for a shift to memory-safe programming languages in 2023, echoing the sentiments of federal officials working to get the open source community and software industry to phase out the use of memory-unsafe languages.
The report analyzed 172 critical projects from the Open Source Security Foundation's Critical Projects Working Group. The largest open source projects were found to be disproportionately reliant on memory-unsafe languages, making them highly vulnerable to critical security vulnerabilities.
Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, stated that memory-safe languages produce code with fewer exploitable defects. However, he also noted that development teams are often skilled in unsafe languages, which could present a challenge in the transition process.
While the report did not specify the exact number of open source projects analyzed that are written in memory-unsafe languages, it did highlight the use of these languages in open source projects, which are considered highly vulnerable to critical security vulnerabilities. The report did not mention any new findings about the median proportion of memory-unsafe language across the 10 largest projects or if the shift to MSLs is a recommendation for the open source community and software industry.
Nonetheless, the call to action is clear: a shift towards memory-safe programming languages is crucial for enhancing cybersecurity and mitigating the risks associated with memory corruption vulnerabilities in open source and critical software projects.
- The White House's America's AI Action Plan (2025) emphasizes secure software development practices, encouraging the use of memory-safe languages to better secure AI systems and software supply chains.
- CISA and the National Security Agency (NSA) have published guides advocating for the adoption of memory-safe programming languages as a proactive cybersecurity measure, such as "The Case for Memory Safe Roadmaps."
- Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, stated that memory-safe languages produce code with fewer exploitable defects, highlighting the importance of this shift for enhancing cybersecurity.
