Can and should a penetration test report include an informational note about not having used a (by-design) memory-safe programming language?
Firstly, a quote from a good article about the importance of memory safety by memorysafety.org:
How common are memory safety vulnerabilities? Extremely. A recent study found that 60-70% of vulnerabilities in iOS and macOS are memory safety vulnerabilities. Microsoft estimates that 70% of all vulnerabilities in their products over the last decade have been memory safety issues. Google estimated that 90% of Android vulnerabilities are memory safety issues. An analysis of 0-days that were discovered being exploited in the wild found that more than 80% of the exploited vulnerabilities were memory safety issues.
...
These vulnerabilities and exploits, and many others, are made possible because C and C++ are not memory safe. Organizations which write large amounts of C and C++ inevitably produce large numbers of vulnerabilities that can be directly attributed to a lack of memory safety. These vulnerabilities are exploited, to the peril of hospitals, human rights dissidents, and health policy experts. Using C and C++ is bad for society, bad for your reputation, and it's bad for your customers.
I couldn't agree more and would urge every developer to switch to a more memory safe (by-default) programming language, like Rust whenever possible. Yes, you can (in some cases) make other programming languages more memorysafe as well, by implementing best practices, however considering a layered-security approach (defense-in-depth) it's better to use a programming language that is memorysafe by default.
I can imagine that for many developers switching a programming language, is a sensitive subject. Considering the time spend mastering it. Perhaps giving an opinion about this subject at all, as a penetration tester might lean towards being out-of-scope or perceived as unasked advice. However, for important or relevant code I am considering to report 'an informational note' in future penetration test reports something like the following:
The following code or software isn't written in a programming language that is memorysafe by default. Using the currently used programming language requires a strict, and consistent implementation of best practices to reduce potential memory issues that could result in vulnerabilities. Consider using a programming languages that is memory-safe by-design instead.
Can and should a penetration test report include an informational note about not having used a (by-design) memory-safe programming language?
Lastly, this issue in my opinion needs to be on the agenda of more developers. It's great that for example even the White House recently published about this in 'Fact Sheet: ONCD Report Calls for Adoption of Memory Safe Programming Languages and Addressing the Hard Research Problem of Software Measurability'.
