The US government recommends that developers stop using C/C++ and switch to memory-safe programming languages

According to news on February 29, the U.S. government recently released a cybersecurity report calling on developers to stop using programming languages ​​that are prone to memory safety vulnerabilities, such as C and C++, and instead use memory-safe programming languages ​​for development. The report was released by the Office of the U.S. Cyberspace Director (ONCD) to implement U.S. President Joe Biden's cybersecurity strategy, with the goal of "protecting the cornerstone of cyberspace."

Memory safety refers to the ability of a program to avoid errors and vulnerabilities when accessing memory, such as buffer overflows and dangling pointers. Java is considered a memory-safe language due to its runtime error detection capabilities. However, C and C++ allow direct manipulation of memory addresses and lack bounds checking, making them prone to memory safety issues.

Citing research data from Microsoft and Google, the report pointed out that more than 70% of security vulnerabilities are related to memory security issues. The report also cites the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) open source software security roadmap, which recommends that developers use memory-safe programming languages ​​from the beginning and conduct "security by design" development.

The 19-page report aims to emphasize that cybersecurity is not just the responsibility of individuals, but also the shared responsibility of large organizations, technology companies and governments. The report does not recommend a specific programming language to replace C and C++, but emphasizes that there are multiple memory-safe programming languages ​​to choose from. The report also calls on businesses and engineers to adopt best software development practices and use memory-safe hardware to reduce the possibility of malicious attacks.

In a cybersecurity information document released in November last year, the U.S. National Security Agency (NSA) listed programming languages ​​they consider safe, including:

• Rust

• Go

• C#

• Java

• Swift

• JavaScript

• Ruby

But according to the TIOBE index (a measure of the popularity of programming languages), C# ranks 5th on the list, Java is 4th, JavaScript is 6th, Go is 8th, Swift is 16th, Rust is 18th, and Ruby is 18th. 20 bits. It can be seen that only 4 of the languages ​​recommended by the NSA are among the most commonly used languages ​​​​by developers.

The report also emphasizes the importance of software security assessment and believes that better assessment standards can help technology companies better plan, predict and mitigate the risk of vulnerabilities. The report also used the Apollo 13 moon landing mission as an example to emphasize the importance of using memory-safe code in critical areas such as space exploration.

The report is part of a series of U.S. government cybersecurity initiatives. In March 2023, President Biden signed a cybersecurity executive order aimed at strengthening software and hardware security and establishing partnerships with the technology industry. As digitalization continues to advance, more secure programming languages ​​and development methods have become critical, and this report is the latest move to call on the industry to pay attention to this issue.