* . *
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Thursday, September 4, 2025
Earth-News
  • Home
  • Business
  • Entertainment
    ITV Studios Launches New Entertainment Label – Global Bulletin – IMDb

    ITV Studios Unveils Exciting New Entertainment Label

    TS Entertainment bringing Malibu Jack’s to former Owensboro mall – Lane Report

    TS Entertainment Launches Malibu Jack’s at Former Owensboro Mall Location

    Jenny Han Dropped a Major ‘The Summer I Turned Pretty’ Easter Egg Revealing [SPOILER] – yahoo.com

    Jenny Han Just Unveiled a Huge ‘The Summer I Turned Pretty’ Easter Egg That Changes Everything [SPOILER]

    Liam Payne’s Cousin Ross Harris Honors Late Singer With Emotional Song ‘Bones’ – yahoo.com

    Liam Payne’s Cousin Ross Harris Honors Late Singer with Emotional New Song ‘Bones

    Country music star apologizes after drunken show ends with cops taking him down: ‘I’m not OK’ – PennLive.com

    Country Music Star Apologizes After Drunken Show Ends in Police Intervention: ‘I’m Not OK

    Comanche Nation Entertainment closes casino near Devol – KSWO 7News

    Comanche Nation Entertainment Closes Casino Near Devol in Surprising Move

  • General
  • Health
  • News

    Cracking the Code: Why China’s Economic Challenges Aren’t Shaking Markets, Unlike America’s” – Bloomberg

    Trump’s Narrow Window to Spread the Truth About Harris

    Trump’s Narrow Window to Spread the Truth About Harris

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Trending Tags

    • Trump Inauguration
    • United Stated
    • White House
    • Market Stories
    • Election Results
  • Science
  • Sports
  • Technology
    Credo Technology Group Holding Ltd. (CRDO) Surpasses Q1 Earnings and Revenue Estimates – Yahoo Finance

    Credo Technology Group Surpasses Q1 Earnings and Revenue Expectations

    The Economist is hiring a science and technology correspondent – The Economist

    Exciting Opportunity: Become Our Next Science and Technology Correspondent!

    Blockchain lender Figure Technology seeks to raise up to $526M in IPO (FIGR:Pending) – Seeking Alpha

    Blockchain Lender Figure Technology Sets Sights on $526M in Thrilling IPO Launch

    New Technology from Ramsey Theory Group Brings Diagnostic Testing and Telehealth Directly into Patients’ Homes – Yahoo Finance

    Revolutionary Ramsey Theory Technology Delivers Diagnostic Testing and Telehealth Right to Your Doorstep

    China’s CATL sells stake in Finnish subcontract car manufacturer – Reuters

    China’s CATL Sells Stake in Finnish Auto Supplier in Strategic Move

    This Secret Technology Will Make The IPhone 17 Super Thin Air – VOI.ID

    How This Breakthrough Technology Will Make the iPhone 17 Incredibly Thin and Lightweight

    Trending Tags

    • Nintendo Switch
    • CES 2017
    • Playstation 4 Pro
    • Mark Zuckerberg
No Result
View All Result
  • Home
  • Business
  • Entertainment
    ITV Studios Launches New Entertainment Label – Global Bulletin – IMDb

    ITV Studios Unveils Exciting New Entertainment Label

    TS Entertainment bringing Malibu Jack’s to former Owensboro mall – Lane Report

    TS Entertainment Launches Malibu Jack’s at Former Owensboro Mall Location

    Jenny Han Dropped a Major ‘The Summer I Turned Pretty’ Easter Egg Revealing [SPOILER] – yahoo.com

    Jenny Han Just Unveiled a Huge ‘The Summer I Turned Pretty’ Easter Egg That Changes Everything [SPOILER]

    Liam Payne’s Cousin Ross Harris Honors Late Singer With Emotional Song ‘Bones’ – yahoo.com

    Liam Payne’s Cousin Ross Harris Honors Late Singer with Emotional New Song ‘Bones

    Country music star apologizes after drunken show ends with cops taking him down: ‘I’m not OK’ – PennLive.com

    Country Music Star Apologizes After Drunken Show Ends in Police Intervention: ‘I’m Not OK

    Comanche Nation Entertainment closes casino near Devol – KSWO 7News

    Comanche Nation Entertainment Closes Casino Near Devol in Surprising Move

  • General
  • Health
  • News

    Cracking the Code: Why China’s Economic Challenges Aren’t Shaking Markets, Unlike America’s” – Bloomberg

    Trump’s Narrow Window to Spread the Truth About Harris

    Trump’s Narrow Window to Spread the Truth About Harris

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Trending Tags

    • Trump Inauguration
    • United Stated
    • White House
    • Market Stories
    • Election Results
  • Science
  • Sports
  • Technology
    Credo Technology Group Holding Ltd. (CRDO) Surpasses Q1 Earnings and Revenue Estimates – Yahoo Finance

    Credo Technology Group Surpasses Q1 Earnings and Revenue Expectations

    The Economist is hiring a science and technology correspondent – The Economist

    Exciting Opportunity: Become Our Next Science and Technology Correspondent!

    Blockchain lender Figure Technology seeks to raise up to $526M in IPO (FIGR:Pending) – Seeking Alpha

    Blockchain Lender Figure Technology Sets Sights on $526M in Thrilling IPO Launch

    New Technology from Ramsey Theory Group Brings Diagnostic Testing and Telehealth Directly into Patients’ Homes – Yahoo Finance

    Revolutionary Ramsey Theory Technology Delivers Diagnostic Testing and Telehealth Right to Your Doorstep

    China’s CATL sells stake in Finnish subcontract car manufacturer – Reuters

    China’s CATL Sells Stake in Finnish Auto Supplier in Strategic Move

    This Secret Technology Will Make The IPhone 17 Super Thin Air – VOI.ID

    How This Breakthrough Technology Will Make the iPhone 17 Incredibly Thin and Lightweight

    Trending Tags

    • Nintendo Switch
    • CES 2017
    • Playstation 4 Pro
    • Mark Zuckerberg
No Result
View All Result
Earth-News
No Result
View All Result
Home Technology

CISA Report Finds Most Open-Source Projects Contain Memory-Unsafe Code

July 2, 2024
in Technology
CISA Report Finds Most Open-Source Projects Contain Memory-Unsafe Code
Share on FacebookShare on Twitter

More than half of open-source projects contain code written in a memory-unsafe language, a report from the U.S.’s Cybersecurity and Infrastructure Security Agency has found. Memory-unsafe means the code allows for operations that can corrupt memory, leading to vulnerabilities like buffer overflows, use-after-free and memory leaks.

The report’s results, published jointly with the FBI, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, are based on analysis of 172 critical projects defined by the OpenSSF’s Securing Critical Projects working group.

Out of the total lines of code for these projects, 55% were written in a memory-unsafe language, with the larger projects containing more. Memory-unsafe lines make up more than a quarter of all of the 10 largest projects in the data set, while the median proportion among them is 62.5%. Four of them are made up of more than 94% memory-unsafe code.

What are memory-unsafe languages?

Memory-unsafe languages, like C and C++, require developers to manually implement rigorous memory management practices, including careful allocation and deallocation of memory. Naturally, mistakes will be made, and these result in vulnerabilities that can allow adversaries to take control of software, systems and data.

On the other hand, memory-safe languages, like Python, Java, C# and Rust, automatically handle memory management though built-in features and shift the responsibility to the interpreter or compiler.

SEE: The 10 Best Python Courses Worth Taking in 2024

The report’s authors wrote: “Memory safety vulnerabilities are among the most prevalent classes of software vulnerability and generate substantial costs for both software manufacturers and consumers related to patching, incident response, and other efforts.”

They also analysed the software dependencies on three projects written in memory-safe languages, and found that each of them depended on other components written in memory-unsafe languages.

“Hence, we determine that most critical open source projects analysed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities,” wrote the authors.

Chris Hughes, the chief security advisor at open source security company Endor Labs and cyber innovation fellow at CISA, told TechRepublic: “The findings certainly pose a risk to both commercial organisations and government agencies because of the prevalent exploitation of this class of vulnerabilities when we look at annual exploitation across classes of vulnerabilities. They are often among the most commonly exploited class of vulnerabilities year-over-year.”

Why is memory-unsafe code so prevalent?

Memory-unsafe code is prevalent because it gives developers the ability to directly manipulate hardware and memory. This is useful in instances where performance and resource constraints are critical factors, like in operating system kernels and drivers, cryptography and networking for embedded applications. The report’s authors observed this and expect it to continue.

Developers might use memory-unsafe languages directly because they are unaware of or unbothered by the risks. They can also intentionally disable the memory-safe features of a memory-safe language.

However, those aware of the risks and who do not wish to incorporate memory-unsafe code might do so unintentionally through a dependency on an external project. Performing a comprehensive dependency analysis is challenging for a number of reasons, making it easy for memory-unsafe dependencies to slip through the cracks.

For one, languages often have multiple mechanisms to specify or create dependencies, complicating the identification process. Furthermore, doing so is computationally expensive, as sophisticated algorithms are required to track all the potential interactions and side effects.

“Somewhere underneath every programming language stack and dependency graph, memory-unsafe code is written and executed,” the authors wrote.

SEE: Aqua Security Study Finds 1,400% Increase in Memory Attacks

Hughes told TechRepublic: “Often, these (memory-unsafe) languages have been widely adopted and used for years before much of the recent activity to try and encourage the transition to memory safe languages. Additionally, there is a need for the broader development community to transition to more modern memory safe languages.

“It would be difficult to change many of these projects to memory safe languages because it would require resources and efforts from the maintainers, to refactor/rewrite to memory safe languages. The maintainers may not have expertise in the memory safe language and even if they do, they may not be incentivized to do so, given they are largely unpaid volunteers not being compensated for the projects they’ve created and maintained.”

He added that organisations should offer monetary incentives and other resources to encourage open-source developers to transition their code, but also need to monitor any efforts to ensure that secure coding practices are implemented.

Recommendations to reduce risks of memory-unsafe code

The report refers to CISA’s The Case for Memory Safe Roadmaps document and the Technical Advisory Council’s report on memory safety for recommendations on how to reduce the prevalence of memory-unsafe languages. These recommendations include:

Transition existing projects to memory-safe languages, as recent advancements mean they now parallel the performance of memory-unsafe languages.
Write new projects in memory-safe languages.
Create memory-safe roadmaps that include clear plans for integrating memory-safe programming into systems and addressing memory safety in external dependencies.
Manage external dependencies by ensuring third-party libraries and components are also memory-safe or have mitigations in place.
Train developers in memory-safe languages.
Prioritise security in software design from the beginning of the software lifecycle, such as by adhering to Secure by Design principles.

Efforts from officials to reduce prevalence of memory-unsafe code

Federal officials and researchers in the U.S. have been working to reduce the amount of memory-unsafe software in circulation in recent years.

An October 2022 report from Consumer Reports noted that “roughly 60 to 70 percent of browser and kernel vulnerabilities — and security bugs found in C/C++ code bases — are due to memory unsafety.” Then, the National Security Agency released guidance for how software developers could protect against memory-safety issues.

In 2023, CISA Director Jen Easterly called on universities to educate students on memory safety and secure coding practices. The 2023 National Cybersecurity Strategy and its implementation plan were then published, which discussed investing in memory-safe languages and collaborating with the open source community to champion them further. That December, CISA published The Case for Memory Safe Roadmaps and the Technical Advisory Council’s report on memory safety.

In February this year, the White House published a report promoting the use of memory-safe languages and the development of software safety standards, which was backed by major technology companies including SAP and Hewlett Packard Enterprise.

The U.S. government’s efforts are being supported by a number of third-party groups that share their aim of reducing the prevalence of memory-unsafe code. The OpenSSF Best Practices Working Group has a dedicated Memory-Safety Special Interest subgroup, while the Internet Security Research Group’s Prossimo project wants to “move the Internet’s security-sensitive software infrastructure to memory safe code.” Google has developed the OSS-Fuzz service that continuously tests open-source software for memory-safety vulnerabilities and other bugs using automated fuzzing techniques.

>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : TechRepublic – https://www.techrepublic.com/article/open-source-projects-memory-unsafe-code-cisa/

Tags: findsReporttechnology
Previous Post

After months of testing, Google faces growing pressure to revamp the Privacy Sandbox

Next Post

‎Jadwa REIT Saudi says Dammam tower sale ‘negative’ in short term

Potential caterpillar mimicry in a tropical hummingbird – Falk – 2025 – Ecology – ESA Journals

Tropical Hummingbird’s Surprising Caterpillar Mimicry Revealed

September 4, 2025
Degrees of Science: Healthy Aging – KWTX

Unlocking the Secrets to Healthy Aging: A Science-Based Guide

September 4, 2025
Podcast: Blame, bad drivers, and ‘safety science’ – BikePortland

Podcast: Blame, bad drivers, and ‘safety science’ – BikePortland

September 4, 2025
If you want your 60s to be some of the best years of your life, say goodbye to these 5 behaviors – VegOut

If you want your 60s to be some of the best years of your life, say goodbye to these 5 behaviors – VegOut

September 4, 2025
Credo Technology Group Holding Ltd. (CRDO) Surpasses Q1 Earnings and Revenue Estimates – Yahoo Finance

Credo Technology Group Surpasses Q1 Earnings and Revenue Expectations

September 4, 2025

NFL Week 1 Power Rankings: Eagles Take Early Lead, But Bills Poised to Claim Ultimate Crown

September 4, 2025
Xi Parades Military Strength as Trump Accuses Him of Conspiring With Putin and Kim – The New York Times

Xi Unveils Military Strength as Trump Levels Accusations of Alliances with Putin and Kim

September 4, 2025
Trump tariffs and the Fed: Fate of U.S. economy may lie with the Supreme Court – Axios

How the Supreme Court Could Decide the Future of the U.S. Economy Amid Trump Tariffs and Fed Moves

September 4, 2025
ITV Studios Launches New Entertainment Label – Global Bulletin – IMDb

ITV Studios Unveils Exciting New Entertainment Label

September 4, 2025
RFK Jr. is spreading a reckless myth about SSRIs and mass shootings – MSNBC News

RFK Jr. Fuels Dangerous Myth Linking SSRIs to Mass Shootings

September 4, 2025

Categories

Archives

September 2025
MTWTFSS
1234567
891011121314
15161718192021
22232425262728
2930 
« Aug    
Earth-News.info

The Earth News is an independent English-language daily published Website from all around the World News

Browse by Category

  • Business (20,132)
  • Ecology (806)
  • Economy (824)
  • Entertainment (21,704)
  • General (16,848)
  • Health (9,865)
  • Lifestyle (839)
  • News (22,149)
  • People (826)
  • Politics (831)
  • Science (16,035)
  • Sports (21,323)
  • Technology (15,805)
  • World (805)

Recent News

Potential caterpillar mimicry in a tropical hummingbird – Falk – 2025 – Ecology – ESA Journals

Tropical Hummingbird’s Surprising Caterpillar Mimicry Revealed

September 4, 2025
Degrees of Science: Healthy Aging – KWTX

Unlocking the Secrets to Healthy Aging: A Science-Based Guide

September 4, 2025
  • About
  • Advertise
  • Privacy & Policy
  • Contact

© 2023 earth-news.info

No Result
View All Result

© 2023 earth-news.info

No Result
View All Result

© 2023 earth-news.info

Go to mobile version