Exploring Memory Safety in Critical Open Source Projects

CISA, in partnership with the Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, crafted this joint guidance to provide organizations with findings on the scale of memory safety risk in selected open source software (OSS). This guide builds on The Case for Memory Safe Roadmaps by providing a starting point for software manufacturers to create memory safe roadmaps, including plans to address memory safety in external dependencies which commonly include OSS. Exploring Memory Safety in Critical Open Source Projects also aligns with the 2023 National Cybersecurity Strategy and corresponding implementation plan, which discusses investing in memory safety and collaborating with the open source community—including the establishment of the interagency Open Source Software Security Initiative (OS3I) and investment in memory-safe programming languages.

CISA encourages all organizations and software manufacturers to review the methodology and results found in the guidance to:

• Reduce memory safety vulnerabilities;
• Make secure and informed choices;
• Understand the memory-unsafety risk in OSS;
• Evaluate approaches to reducing this risk; and
• Continue efforts to drive risk-reducing action by software manufacturers.

To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage.