Joint advisory on exploring memory safety in critical open source projects

The Canadian Centre for Cyber Security (Cyber Centre) has joined the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) in releasing cyber security guidance on memory safety in critical open source projects.

This joint report is a follow-on product to previously released guidance on memory safe roadmaps. The new guidance builds upon the notion that memory safety vulnerabilities are the most prevalent class of software vulnerability. This new guidance recommends software manufacturers create memory safe roadmaps, including plans to address memory safety in external dependencies. These commonly include open source software (OSS).

The joint report provides a starting point for memory safe roadmaps by investigating the scale of memory safety risk in selected OSS.

Most of the critical open source projects analyzed for this report were potentially vulnerable to memory safety vulnerabilities, even those written in memory safe languages. These vulnerabilities are due to direct memory-unsafe language use, external dependency on projects that do the same, or low-level functional requirements to deactivate memory safety. Use of memory safe programming languages, secure coding practices, and security testing is required to address these vulnerabilities.

Added efforts to understand the scope of memory-safety risks in OSS are encouraged. Discussions of the best approaches to managing these risks should continue.

Read the joint guidance advisory:

Exploring Memory Safety in Critical Open Source Projects

Date modified: