The US Cybersecurity and Infrastructure Security Agency (CISA) alongside the FBI has issued a recommendation urging businesses to avoid using the widely-used C and C++ programming languages due to security risks.
This advice comes as part of a joint report titled ‘Product Security Bad Practices,’ which is aligned with CISA’s ‘Secure by Design’ initiative.
The report aims to steer software developers away from dangerous practices when designing products for critical infrastructure.
One of the primary security threats highlighted in the report is the use of memory-unsafe languages such as C and C++.
The agencies have labeled the use of memory-unsafe languages as “dangerous,” posing a significant threat to national security, economic stability, and public health and safety. They strongly recommend avoiding such languages when memory-safe alternatives are available.
Additionally, the agencies suggest that a memory safety roadmap be published by January 1, 2026, outlining measures to address vulnerabilities, especially in critical components. However, products with support ending before January 1, 2030, are exempt from this directive.
A recent Stack Overflow survey of over 3,000 UK developers found that 63% favored JavaScript, a memory-safe language, over others.
The advisory also pointed out several common security oversights. It urged companies to design products that prevent vulnerabilities such as SQL injection and command injection.
Additionally, the agencies recommend avoiding the use of default passwords, advising that secure credentials be required during installation to enhance product security.
The agencies also emphasized the importance of ongoing support, urging companies to issue CVEs (Common Vulnerabilities and Exposures) promptly, especially for critical and high-impact vulnerabilities. This applies whether the vulnerabilities are identified internally or by external parties.
Stories You May Like