The US government is urging software developers to stop using the popular programming languages C and C++ due to significant security risks. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published new guidance recommending that software manufacturers prioritize security by moving away from these “memory-unsafe” languages. C and C++ are widely used but leave much of the burden for preventing vulnerabilities on developers.
Sloppy coding practices or inadequate testing can lead to security holes that allow attackers to access files or inject malicious code. Memory safety issues account for the majority of severe vulnerabilities in software. “The development of new product lines for use in critical infrastructure in a memory-unsafe language where there are readily available alternative memory-safe languages is dangerous and significantly elevates the risk to national security, economic security, and public health and safety,” the agencies stated.
The government recommends that manufacturers build products using memory-safe languages like Rust, Java, C#, Go, Python, and Swift instead. These languages have built-in protections against common memory-related errors. Products written in C or C++ that don’t publish a roadmap by 2026 for eliminating memory safety vulnerabilities are considered particularly hazardous.
Government suggests memory-safe languages transition
However, transitioning away from C and C++ poses challenges. Rebuilding entire systems in another language can lead to functionality issues.
The process is time-consuming, resource-intensive, and may introduce performance slowdowns. Companies must also invest in new development tools and frameworks to support memory-safe languages. Despite the benefits, widespread adoption of memory-safe languages is expected to be slow.
Many businesses are reluctant to make the switch due to costs and short-term thinking. The tech industry may not fully embrace the change until the 2030s. “Organizations can make progress by adopting memory-safe languages in new projects, prioritizing training to bridge the skill gap, and embedding a security-first mindset into their development culture,” said Vitor Monteiro, CTO at Uniflow.
“Balancing these steps allows them to reduce vulnerabilities gradually while preparing for a broader industry shift in the coming years.”
Moving to memory-safe languages is beneficial in the long run but the industry faces significant hurdles in making it a widespread practice. The government’s push aims to improve software security, especially for critical infrastructure, but developers and businesses will need to navigate the challenges of this major transition.
Noah Nguyen is a multi-talented developer who brings a unique perspective to his craft. Initially a creative writing professor, he turned to Dev work for the ability to work remotely. He now lives in Seattle, spending time hiking and drinking craft beer with his fiancee.
