CISA's Flags Memory-Unsafe Code in Major Open Source Projects
Despite more than 50% of all open source code being written in memory-unsafe languages like C++, we are unlikely to see a massive overhaul to code bases anytime soon.
Source code reveals how software works, helping security teams identify vulnerabilities, exposed secrets, and unsafe logic before attackers can exploit them.
Search across headline titles and summaries.
Background for this topic.
Source code is the human-readable text programmers write in a language such as Python, Java, or C before it is compiled or interpreted into a running program. It defines the program’s logic, data handling, and interactions with operating systems, networks, and other services. Source code may include application code, scripts, and configuration that controls software behavior.
In security, exposed or improperly protected repositories can disclose credentials, private keys, internal endpoints, or details that help attackers find exploitable flaws. Vulnerabilities may also enter through unsafe coding patterns, outdated dependencies, or malicious changes to code and build pipelines. Defenses include least-privilege repository access, secret scanning, peer review, static analysis, dependency and software-composition checks, and integrity controls for releases. Preserving commit history and build provenance helps investigators determine what changed and whether delivered software matches reviewed source.
Despite more than 50% of all open source code being written in memory-unsafe languages like C++, we are unlikely to see a massive overhaul to code bases anytime soon.
Developers are using more and more open-source code because they "want to move fast," said Cycode's Lotem Guy. But the speed of development and the continuous deployment that follows means security teams have to catch up to the fast-moving development life cycle.
A threat actor modified the source code of at least five plugins hosted on WordPress.org to include malicious PHP scripts that create new accounts with administrative privileges on websites running them. [...]