More than half (52%) of critical open source projects contain code written in a memory-unsafe language, according to a new analysis by the Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with government agency partners from Australia and Canada.
The Exploring Memory Safety in Critical Open Source Projects joint report investigated the scale of memory safety risk in open source software.
It analyzed a list of 172 projects derived from the Open Source Security Foundation (OpenSSF) Securing Critical Projects Working Group’s List of Critical Projects.
The report concluded that most critical open source projects potentially contain memory safety vulnerabilities. This is a result of direct use of memory unsafe languages or external dependency on projects that use memory-unsafe languages.
The agencies observed that 55% of the total lines of code (LoC) for all projects were written in a memory-unsafe language.
These projects include operating system kernels and drivers, cryptography and networking.
Each of the 10 largest projects by total LoC had a proportion of memory-unsafe LoC above 26%.
Four of the 10 largest project exceeded 94% memory-unsafe LoC.
No tags.
