Today, we jointly released a new Secure-by-Design publication, Exploring Memory Safety in Critical Open Source Projects, co-authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Canadian Centre for Cyber Security (CCCS). This publication follows the December 2023 release of The Case for Memory Safe Roadmaps, which recommended software manufacturers create memory safe roadmaps, including plans to address memory safety in external dependencies, which commonly include open source software (OSS). Today’s publication provides a starting point for these roadmaps by investigating the scale of memory safety risk in selected OSS. The publication highlights that most critical open source projects, even those written in memory-safe languages, potentially contain memory safety vulnerabilities. Successful exploitation of these types of vulnerabilities, such as buffer overflows and ‘use after free’, may allow adversaries to take control of software, systems, and data. Continued diligent use of memory safe programming languages, secure coding practices, and security testing is imperative to help mitigate these, and other, limitations Read the full publication to explore more on memory safety in critical open source projects: https://lnkd.in/gF55ntKW. For guidance on how to create and publish memory safe roadmaps, and plan for how they will eliminate memory safety vulnerabilities, read our guidance on The Case for Memory Safe Roadmaps: https://lnkd.in/gs7XR_pp.
Excellent pieces like this from ASD and it's partners provide me with constant reminders about how much I still don't know and helo stimulate the imperative to keep on learning.
CEO at Securus Consulting Group
5moIt is a great initiative Dan Tripovich; at Securus we have been following the UK's Digital Security by Design (DSBD) and the developments in device based mitigations such as CHERI against attacks like memory buffer overflow for some time now. We are starting to see it in products we've been assessing and it looks like a robust mitigation for mission critical devices. Alan Laing Gordon Oliver Daniel Thompson Ryan Wostikow Sebastian Scandura Greg Wilson