Unsecured, potentially harmful programming patterns prevail in essential open-source initiatives
In a recent statement, Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, emphasized the benefits of memory-safe languages in producing code with fewer exploitable defects. This shift towards memory-safe programming languages is gaining traction, particularly in the context of open source projects and the software industry.
On Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a report highlighting the prevalent use of memory-unsafe languages such as C and C++ in open source projects. The report revealed that more than half of these critical open source projects are written in memory-unsafe languages, with four of the top 10 projects having over 94% of their code in these languages. The largest open source projects are disproportionately reliant on memory-unsafe languages, with a median proportion of 62.5%.
The use of memory-unsafe languages is considered highly vulnerable to critical security vulnerabilities. To address this concern, federal officials and major technology firms like SAP, Hewlett Packard Enterprise, and Palantir are actively working to phase out the use of these languages in favour of memory-safe programming languages, such as Rust and Swift.
One of the challenges in shifting to memory-safe languages is that development teams are often skilled in memory-unsafe languages. Another challenge is that some software may depend on libraries that are not memory safe. However, the White House, along with these tech giants, have backed an effort to embrace adoption of memory-safe code.
In 2023, CISA Director Jen Easterly called for a shift to memory-safe programming languages. The U.S. National Security Agency (NSA) had already advised moving away from unsafe languages and promoting memory-safe alternatives in 2022. This stance was reaffirmed in June 2025 with a joint NSA and CISA Information Sheet emphasizing the persistent risks of memory safety vulnerabilities and advocating for strategic adoption of memory-safe languages in software development.
The CISA’s Secure by Design program highlights memory-safe languages as key to proactive security throughout development lifecycles, issuing practical guidance to organizations in government, academia, and industry to support this transition. Major corporations and government agencies are migrating critical infrastructure codebases from C/C++ to languages like Rust due to its safety advantages. Tools like Omniglot have been developed to safeguard interactions between Rust and C, mitigating risks without significantly degrading performance.
Emerging memory-safe alternatives like Embedded Swift are also gaining traction in embedded systems, combining low-level control with automatic memory management, type safety, and modern language features. This facilitates safer development alongside existing C interoperability.
The shift to memory-safe programming languages is part of a larger effort to embrace secure-by-design development practices. However, it's important to note that while Tim Mackey's statement supports the idea that memory-safe languages can contribute to software being less vulnerable to malicious hackers, it does not mention the exploitation of these vulnerabilities by malicious threat groups in open source projects or the disproportionate reliance of the largest open source projects on memory-unsafe languages.
The report analyzed 172 critical projects from the Open Source Security Foundation's Critical Projects Working Group. It's crucial to continue these efforts to improve software security and resilience while managing legacy interoperability through specialized tools and gradual migration strategies.
- The report released by the FBI and CISA revealed that more than half of critical open source projects are written in memory-unsafe languages, which poses significant cybersecurity concerns.
- To address these vulnerabilities, federal officials and major technology firms are actively working to phase out the use of memory-unsafe languages and shift to memory-safe programming languages, such as Rust and Swift, in favor of enhanced cybersecurity.
