Cybersecurity and Infrastructure Security Agency’s Post

CISA: Most critical open source projects not using memory safe code The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that most crucial open-source projects are prone to memory flaws. Their research analyzed 172 prominent open-source projects, highlighting the ongoing need for robust memory-safe coding practices in open-source software.

Many important open source projects are at risk due to using memory-unsafe languages, found in over half (52%) of them, according to a recent analysis by CISA and partners. These languages can lead to security issues like buffer overflows. Experts suggest switching to safer options like Rust to reduce these risks. Governments are working with the community to improve software safety standards, aiming for a shift towards more secure programming languages across the industry. Read the full article on Infosecurity Magazine by James Coker for detailed insights 🔗 https://lnkd.in/gSe7Gkf6 Follow our page Start With WCPGW 🔔 #SoftwareSecurity #OpenSource #Rust #MemorySafety #Cybersecurity #startwithwcpgw #wcpgw #infosec #technology

A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software (OSS) projects. #cybersecurity #cisa #oss #opensource

🔒 Peneto Labs Update: CISA Highlights Open Source Vulnerabilities 🔒 The Cybersecurity and Infrastructure Security Agency (CISA) reports that most critical open source projects are not using memory-safe code. This oversight increases the risk of vulnerabilities and potential exploits in widely-used software. Developers and organizations are encouraged to prioritize memory safety in their code to enhance security and protect against threats. Stay proactive in securing your projects. Read More: https://lnkd.in/gQqXNNy4 #CyberSecurity #OpenSource #CISA #PenetoLabs #MemorySafety #SecureCoding #SoftwareSecurity

Recently OpenSSF shared an excellent blog calling out an attempted social engineering attempt where individuals were attempting to gain maintainer rights over a project, but were exhibiting behavior that was clearly counter to normal given the request(s) being made. There is clearly a new pattern emerging (though in reality it has always been here) around compromising the software supply chain at the most foundational level. This further reinforces that the security industry must react properly to this activity and focus on software supply chain security in a holistic manner, not just at the source code level, but also at the compiled code level and not just looking for malware. Great write up Omkhar Arasaratnam and Robin Bender Ginn! #supplychainsecurity https://lnkd.in/gUV6sKrz

This weekend, an attempt to implement a backdoor on the global IT infrastructure was narrowly thwarted. The backdoor was introduced into an obscure, but crucial, piece of open source software maintained by one lone overworked developer in Finland. The threat actor abused this fact to gain their trust over several years, employing all manner of social engineering and pressures to get them to give up control of their project. Rob Mensching had some great insights on how the social engineering was done in his blog (linked below). While the technical aspects of the backdoor and how it was implemented get most of the headlines, the social engineering aspects employed should not be forgotten. Is it sustainable and safe that we rely on free work from lone developers to maintain crucial parts of the global IT infrastructure? How can the open source community prevent these attacks in the future? #cybersecurity #opensource #xz #xzbackdoor

Interesting points re: software vulnerability reporting. "While many of the CVEs are filed in good faith by responsible researchers and represent credible security vulnerabilities, a recently growing pattern involves newbie security enthusiasts and bug bounty hunters ostensibly 'collecting' CVEs to enrich their resume rather than reporting security bugs that constitute real-world, practical impact from exploitation." https://lnkd.in/dVMFnXA2

🚨 Rise in Bogus CVE Reports Against Open Source Projects Recently, the ‘node-ip’ project was archived by its developer, Fedor Indutny, due to a disputed CVE report, making the repository read-only. This follows a trend in the rise of questionable vulnerability reports against open-source projects. Top 3 takeaways: 📈 There has been an increase in questionable CVE reports, causing unnecessary panic and workload for developers. 😤 Developers like Indutny and Daniel Stenberg of ‘curl’ have expressed frustration over these reports, which often lack real-world impact. 🛡️ The challenge lies in balancing the need for security disclosures with preventing burnout among open-source developers. #cybersecurity #news #developers #vulnerabilities #opensource #kraven #KravenSecurity #adamgoss #cti #threatintelligence

The most interesting thing form me in the recent discovery of the xz/liblzma vulnerability is that in addition to provide remote code execution to hostiles it's also an example of a cleverly crafted supply chain attack that began as a social engineering attack almost two years ago. Here is an enlightening reconstruction by Rob Mensching: https://lnkd.in/dAgmNhKH #cybersecurity #vulnerability #ssh #linux #security

Memory-Safe Code: A Cybersecurity Must [#CyberSecurity #OpenSource] 🔐 Key Findings from the CISA Report: - Only 25% of critical open-source projects utilize memory-safe code. - Memory-unsafe codes like C and C++ still dominate, posing security risks such as buffer overflows. The urgency for open-source maintainers to adopt memory-safe coding practices is clearer than ever to fortify cybersecurity defenses. ✨ Do you think transitioning to memory-safe languages is feasible for most open-source projects? How can the cybersecurity community support this shift? #SoftwareDevelopment #DataSecurity #TechLeaders #InfoSec #Programming Explore the full analysis here: https://lnkd.in/gr273qsk