The US government wants companies to stop using C and C++ because they are unsafe
- US government agencies are speaking out about memory-insecure languages
- C/C++ pose a “risk to national security”, the economy, public health and safety
- Developers working with critical infrastructure are advised to follow further guidance
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have advised companies not to use the popular programming languages C and C++ due to security concerns.
The joint reportTitled “Product Security Bad Practices,” it is part of CISA’s “Secure by Design” initiative and hopes to steer software manufacturers away from risky practices when creating products for critical infrastructure.
The use of memory-insecure languages, such as C and C++, was highlighted in the report as one of the top security threats.
CISA and FBI warn against the use of C/C++
Described as “dangerous” and a “risk to national security, national economic security, and national public health and safety,” the agencies recommend against the use of memory-unsafe languages where memory-safe languages are a viable alternative.
Other recommended actions include publishing a memory safety roadmap by January 1, 2026, detailing steps to address vulnerabilities, especially for sensitive components. However, products whose support ends before January 1, 2030 are exempt from these guidelines.
More broadly, a Stack Overflow survey of more than 3,000 UK developers last month found that almost two-thirds (63%) of developers in Britain preferred JavaScript, a memory-safe language.
The agencies also emphasize some general security oversights, suggesting that companies build products in such a way that they prevent the introduction of SQL injection vulnerabilities and command injection vulnerabilities. The advisory also recommends avoiding the use of default passwords by requiring the use of secure login credentials at installation.
In terms of continued support, the two agencies also call on companies to issue CVEs in a “timely” manner, especially for critical, high-impact vulnerabilities, whether discovered internally or by a third party.
Full details of the advice can be found on the CISAs website.