Some of developers’ favorite programming languages cause the biggest security risk for systems that require the utmost safety, according to the White House.
The government sanctioned Office of the National Cyber Director (ONCD), recently released a report detailing that it is recommending that developers use various “memory-safe programming languages.” This list happens to exclude popular languages, such as C and C++, which have been deemed to have flaws in their memory safety that make them security risks.
As Tom’s Hardware points out, memory safety is the protection engrained within memory access that keeps bugs and vulnerabilities at bay. Such examples include the runtime error detection checks in Java, which is considered a memory-safe language. However, C and C++ have no safety checks and allow direct access to memory.
Several companies, including Microsoft and Google, have connected security vulnerabilities to memory safety issues with their systems. In 2019, Microsoft found that around 70% of security vulnerabilities were caused by memory safety issues. Google reported the same figure in 2020 in regard to bugs in its Chromium browser. Notably, Microsoft only recently expanded the compatibility of its own App Store to include developer use of languages such as C++.
With C and C++ being among the programming languages that don’t have built-in safety checks, the ONCD recommends against using them within large organizations, tech companies, and government entities. The advice coincides with President Joe Biden’s cybersecurity strategy to “secure the building blocks of cyberspace.”
Even so, the ONCD does not have an approved list of programming languages and has simply asked companies to use discernment with their software, while also opting for memory-safe hardware to minimize security issues. The closest these is to a sanctioned list is one devised by the National Security Agency (NSA) in 2022. The memory safe languages include:
- Rust
- Go
- C#
- Java
- Swift
- JavaScript
- Ruby
Tom’s Hardware noted while these languages might past the test security-wise, many of them are not developer favorites. The publication added that the languages are in the top 20, but only four of them, C#, Java, Python, and JavaScript, are consistently popular with developers.
This report is a recommendation not, a rule. It will be interesting to see how companies and developers work with it as time goes on.
