The US federal government is urging software manufacturers to switch away from C and C++ programming languages due to security concerns, according to a recent report by the Product Security Best Practices. The Centers for Internet Safety Awareness (CISA) and the FBI have set a deadline of January 1, 2026, for compliance with memory safety guidelines.
While the report is non-binding, it advises manufacturers who work on critical infrastructure or national security functions to follow the guidelines to reduce customer risk. The agencies specifically focus on on-premises software, cloud services, and software-as-a-service.
The report highlights the dangers of using “unsafe” programming languages like C and C++. Development in these languages is seen as a major risk factor that can lead to memory management issues, which threat actors can exploit.
To comply with the guidelines by January 2026, software manufacturers are required to:
– Develop a memory safety roadmap for existing products written in memory-unsafe languages
– Demonstrate how this roadmap will reduce memory-safety vulnerabilities
– Show “reasonable effort” in following the roadmap
Alternatively, manufacturers should use approved memory-safe languages such as Python, Java, C#, Go, Delphi/Object Pascal, Swift, Ruby, Rust, Ada, or choose to use a different programming language altogether.
The report also identifies several other practices that are considered “exceptionally risky” and must be avoided, including:
– Allowing user-provided input directly in SQL database queries
– Releasing products containing known vulnerabilities from CISA’s KEV Catalog
– Using default passwords without providing random instance-unique initial passwords
By following these guidelines, software manufacturers can signal to customers that they are taking ownership of customer security outcomes and demonstrate a commitment to Secure by Design principles.
Source: https://www.techrepublic.com/article/cisa-fbi-memory-safety-recommendations