Source URL: https://thenewstack.io/feds-critical-software-must-drop-c-c-by-2026-or-face-risk/
Source: Hacker News
Title: Feds: Critical Software Must Drop C/C++ by 2026 or Face Risk
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a critical report warning software manufacturers about dangerous security practices, especially concerning the use of memory-unsafe programming languages like C and C++. The report outlines categorized bad practices and sets deadlines for manufacturers to adopt memory safety protocols, significantly impacting the security landscape for critical infrastructure.
Detailed Description:
The recent report from CISA and the FBI highlights serious security concerns in software development that can have severe implications for national security, economic stability, and public health. Below are the essential insights and implications for security and compliance professionals:
– **Joint Warning**: CISA and the FBI emphasize the risks associated with using memory-unsafe programming languages for software that supports critical infrastructure and national critical functions (NCFs).
– **Bad Practices Identified**: The report categorizes bad practices into three areas:
– **Product Properties**: Observable security qualities inherent in a software product.
– **Security Features**: Functionalities that enhance the security of a product.
– **Organizational Processes**: Actions that software manufacturers take to ensure transparency and robustness in security practices.
– **Target Audience**: The report primarily addresses software manufacturers involved in creating on-premises software, cloud services, and Software as a Service (SaaS) aimed at critical infrastructure.
– **Recommendations for Improvement**: Key recommendations include:
– Adoption of memory-safe programming languages to mitigate risk.
– Development of a published memory safety roadmap by January 1, 2026, detailing the prioritized approach to remedy existing memory safety vulnerabilities.
– Elimination of default passwords from administrative accounts by the same deadline.
– **Impending Deadlines**: Software manufacturers must adhere to these guidelines, as failure to create a roadmap could be seen as negligent and expose them to increased risk.
– **Open Source Software Considerations**: The report has specific recommendations for open source software, stressing the importance of:
– Maintaining Software Bills of Materials (SBOMs).
– Responsible consumption and contribution to open source projects.
– Transparency in vulnerability disclosures and security practices.
– **Importance of Action**: Brad Shimmin, an analyst, notes that these guidelines necessitate significant industry shifts regarding memory safety and coding practices. The report serves as a stark reminder that the industry must enhance its security posture for critical software applications.
– **Future Trends**: There may be movement towards safer programming practices, including proposals like Safe C++, which aim to bolster existing languages without the need for extensive rewrites.
In conclusion, the CISA and FBI’s report acts as both a warning and a guide for software manufacturers, making compliance a critical aspect of modern software development, especially for those involved in critical infrastructure. This new expectation for security practices indicates a collective push toward higher standards of safety in software engineering.