The US government is cracking down on software development practices, warning that critical infrastructure relies heavily on secure coding standards. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a report highlighting dangers of using memory-unsafe programming languages like C and C++.
Manufacturers have until January 1, 2026, to create a roadmap for addressing memory safety issues in their products. This includes outlining prioritized efforts to reduce vulnerabilities in priority code components. The agency also emphasizes the importance of eliminating default passwords from admin accounts by the same date.
The report identifies three categories of security concerns: product properties, security features, and organizational processes. It advises software manufacturers to avoid these bad practices and follow recommended guidelines. Companies are encouraged to maintain software bills of materials, cache dependencies securely, and contribute responsibly to open source projects they depend on.
While some experts welcome the agency’s stance, others point out that migrating away from C/C++ is a complex task. Analyst Brad Shimmin notes that companies have until 2026 to develop more effective security measures, which may involve hardware manufacturing advancements or programming language improvements like the Safe C++ proposal.
Source: https://thenewstack.io/feds-critical-software-must-drop-c-c-by-2026-or-face-risk/