- US government agencies speak out about memory-unsafe languages
- C/C++ are a “risk to national security,” the economy, public health and safety
- Developers working with critical infrastructure advised to follow further guidance
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have advised businesses not to use the popular C and C++ programming languages, citing security concerns.
The joint report, titled ‘Product Security Bad Practices,’ forms part of the CISA’s ‘Secure by Design’ initiative, and hopes to guide software manufacturers away from risky practices when creating products for critical infrastructure.
Using memory-unsafe languages, like C and C++, was highlighted as one of the key threats to security in the report.
CISA and FBI warn against use of C/C++
Described as “dangerous” and a “risk to national security, national economic security, and national public health and safety,” the agencies advise against using memory-unsafe languages where memory-safe languages are a viable alternative.
Other recommended action includes publishing a memory safety roadmap by January 1, 2026, detailing steps to address vulnerabilities, particularly for sensitive components, however products with support ending before January 1, 2030 will be exempt from this guidance.
More broadly, a Stack Overflow survey of more than 3,000 UK developers last month revealed that nearly two-thirds (63%) of developers in Britain preferred JavaScript, which is a memory-safe language.
The agencies also highlight some common security oversights, suggesting that companies build products in such a way that they prevent the introduction of SQL injection vulnerabilities and command injection vulnerabilities. The advisory also recommends avoiding using default passwords by requiring the use of secure credentials upon installation.
In terms of ongoing support, the two agencies also call for companies to issue CVEs in a “timely manner,” particularly for critical and high-impact vulnerabilities, whether they are discovered internally or by a third party.
Full details of the advisory can be found on the CISA’s website.