The U.S. government recommends that developers stop using C/C++ and switch to memory-safe programming languages

According to news from this site on February 29, the U.S. government recently released a cybersecurity report calling on developers to stop using programming languages ​​that are prone to memory safety vulnerabilities, such as C and C, and instead use memory-safe programming languages. development. The report was released by the Office of the Cyberspace Director (ONCD) to implement US President Joe Biden’s cybersecurity strategy, with the goal of “protecting the bedrock of cyberspace.”

Memory safety means that a program can effectively avoid potential errors and vulnerabilities when accessing memory, such as buffer overflows and dangling pointers. Java is considered a memory-safe programming language because of its runtime error detection capabilities. In contrast, C and C allow direct access to memory addresses and lack bounds checking, which makes them more prone to memory safety issues. Therefore, when developing applications, choosing the right programming language and adopting corresponding memory management strategies are crucial to ensuring memory safety.

According to research data from Microsoft and Google cited in the report, more than 70% of security vulnerabilities are closely related to memory safety issues. In addition, the report also mentioned the open source software security roadmap released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which encourages developers to adopt memory-safe programming languages ​​and implement "security by design" development methods at the early stage of the project. This approach aims to reduce the risk of security vulnerabilities needing to be fixed later by focusing on security in the early stages of software design and development. Therefore, it is crucial to emphasize memory safety during software development, which can effectively reduce potential security vulnerabilities and risks.

The 19-page report aims to emphasize that cybersecurity is not just the responsibility of individuals, but also the shared responsibility of large organizations, technology companies and governments. The report does not recommend a specific programming language to replace C and C, but emphasizes that there are multiple memory-safe programming languages ​​to choose from. The report also calls on businesses and engineers to adopt best software development practices and use memory-safe hardware to reduce the possibility of malicious attacks.

The U.S. National Security Agency (NSA) mentioned some programming languages ​​that are considered safe in a recently released cybersecurity information document. It is worth noting...

• Rust

• Go

• C

• Java

• Swift

• JavaScript

• ##Ruby

But according to the TIOBE index (a measure of programming language popularity degree indicator), C# ranks 5th in the rankings, Java is 4th, JavaScript is 6th, Go is 8th, Swift is 16th, Rust is 18th, and Ruby is 20th. It can be seen that only 4 of the languages ​​recommended by the NSA are among the most commonly used languages ​​​​by developers.

The report also emphasizes the importance of software security assessment and believes that better assessment standards can help technology companies better plan, predict and mitigate vulnerability risks. The report also highlights the importance of using memory-safe code in critical areas such as space exploration, citing the Apollo 13 moon landing mission as an example.

This report is part of a series of U.S. government cybersecurity initiatives. In March 2023, President Biden signed a cybersecurity executive order aimed at strengthening software and hardware security and establishing partnerships with the technology industry. As digitalization continues to advance, more secure programming languages ​​and development methods have become critical, and this report is the latest move to call on the industry to pay attention to this issue.

The above is the detailed content of The U.S. government recommends that developers stop using C/C++ and switch to memory-safe programming languages. For more information, please follow other related articles on the PHP Chinese website!