Source URL: https://www.theregister.com/2024/11/08/the_us_government_wants_developers/
Source: The Register
Title: The US government wants developers to stop using C and C++
Feedly Summary: Does anyone want to tell Linus Torvalds? No? I didn’t think so
Opinion I must be a glutton for punishment. Not only was my first programming language IBM 360 Assembler, my second language was C. Programming anything in them wasn’t easy. Programming safely in either is much harder.…
AI Summary and Description: Yes
Summary: The text discusses the increasing pressure from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to transition from memory-unsafe programming languages, particularly C and C++, to memory-safe alternatives like Rust. It highlights security vulnerabilities associated with memory-unsafe languages and the ongoing struggle within the developer community regarding this shift.
Detailed Description:
– **CISA and FBI Initiatives**: The agency is advocating for software manufacturers to abandon “memory-unsafe” languages due to their security risks.
– **Memory Safety Report**: The report warns against using languages like C and C++ for critical infrastructure, emphasizing that over half of examined critical open-source projects contain vulnerable memory-unsafe code.
– **Vulnerabilities in Memory-Unsafe Languages**:
– Memory safety vulnerabilities, such as buffer overflows and use-after-free errors, are prevalent and can lead to severe risk by allowing adversaries to compromise software and systems.
– Approximately 70% of security vulnerabilities stem from memory safety issues, making the transition to safer programming languages critical.
– **Recommended Alternatives**: CISA suggests using memory-safe languages such as Rust, Java, C#, Go, Python, and Swift, which have built-in safeguards against memory-related errors.
– **Industry Challenges**:
– Transitioning to these languages is not straightforward; it requires substantial resources, cost, and could disrupt existing functionalities.
– The developer community shows resistance, with experts having long-term familiarity with C and C++ reluctant to learn new languages.
– **Discussion in the Community**: The debate over Rust versus C has taken on a “religious” dimension, indicating deep-seated opinions about programming paradigms, performance, and developer preferences.
– **Corporate Resistance**: The financial argument presented by CISA struggles against the corporate mindset that prioritizes short-term profits over long-term security investments, making widespread adoption of memory-safe languages unlikely in the near future.
– **Projected Timeline for Transition**: While CISA sets a roadmap for codebase transition by January 1, 2026, the author is skeptical about significant changes occurring in the 2020s, predicting that more substantial progress may only materialize in the coming decade.
This analysis reveals significant insights regarding corporate priorities, the technical challenges associated with programming language transitions, and highlights the crucial implications for security professionals responsible for software development and infrastructure security. The necessity for adopting more secure programming practices is clear, yet the obstacles outlined demonstrate a complex dynamic within the industry’s approach to software security.