CISA Open Source Safety Analysis

July 8th, 2024Dan Yoder

Photo by Michael Dziedzic on Unsplash

The US cybersecurity agency analyzed popular open-source projects and found that many widely used projects still contain a lot of unsafe code.

Projects still relying on unsafe code include: Linux, Chrome (Chromium), Firefox (Gecko), Node, PHP, Python, Redis, Postgres, MySQL, OpenSSH, and OpenSSL.

On the other hand, this is nevertheless a huge improvement over a decade ago. Projects that rely mostly on safe code include Ruby and Go. There are others, but they mostly make the list because they’re built on something else, which is often unsafe (ex: WordPress on PHP).

For our work, we rely on Node and Linux. Linux will never be safe, but someone may rewrite the majority of Linux in Rust (Runix?!).

Alternatives to Node already exist, but one relies on V8, which is not memory-safe (it’s part of Chromium, in case you’re wondering why it’s not on the CISA list). Bun relies on Zig, which is less safe than Rust:

Zig removes some of the most egregious footguns from [C], has better defaults, makes some good practices more ergonomic, and benefits from a fresh start in the standard library (eg using slices everywhere). But it does not nearly approach the level of systematic prevention of memory unsafety that rust achieves. It is still trivial to violate memory safety in zig.

Of course, we also rely heavily on Amazon’s stack, and determining its safety is non-trivial. Fortunately, there is evidence that Amazon takes memory safety into account. For example, DynamoDB is based on Java, a memory-safe language. Of course, Java itself is typically implemented in C, which is not.