The US government says it would be better for them if you ceased using C or C++ when programming tools. In a recent report, the White House Office of the National Cyber Director (ONCD) has urged developers to utilize “memory-safe programming languages,” a classification that does not include widely used languages. The recommendation is a step toward “securing the building blocks of cyberspace” and is a component of US President Biden’s cybersecurity plan.
Memory-safety is the defense against flaws and vulnerabilities related to memory access. Examples of this include dangling pointers and buffer overflows. Java’s runtime fault detection checks make it a memory-safe language. Nonetheless, unconstrained pointer arithmetic with direct memory addresses and without bounds checking is supported by both C and C++.
In no particular order, the NSA suggests these memory-safe programming languages
- Go
- Rust
- C#
- Swift
- Java
- Ruby
- Python
- Delphi/Object Pascal
- Ada
According to a 2019 analysis by Microsoft security engineers, memory safety problems were the root cause of almost 70% of security vulnerabilities. In 2020, Google released a similar figure, although this time it was for Chromium browser issues.
The extensive report says, “Experts have identified a few programming languages that both lack traits associated with memory safety and also have high proliferation across critical systems, such as C and C++.” And the report continues, “Choosing to use memory safe programming languages at the outset, as recommended by the Cybersecurity and Infrastructure Security Agency’s (CISA) Open-Source Software Security Roadmap is one example of developing software in a secure-by-design manner.”
The 19-page report aims to ensure that small organizations and individuals are not the only ones responsible for cybersecurity. Instead, the onus is on bigger institutions, digital businesses, and ultimately the government. The report seeks to detail what is considered “unsafe” programming languages, namely the use of C and C++. The Microsoft report says, “We’re not here to debate the pros and cons of programming languages, but it is interesting to see that the report does not suggest a specific language in their place. We are told that there are “dozens of memory-safe programming languages that can — and should — be used.”
Additionally, the paper recommends improving software security metrics. According to ONCD, better measurements let technology providers plan, predict, and address risks before they become an issue.
Featured Image Credit: Paul Buijs; Pexels