The U.S. government recommends abandoning C or C++ programming tools. In a new report, the White House Office of the National Cyber Director (ONCD) urged developers to use «memory-safe programming languages». The advice is a step toward «protecting the building blocks of cyberspace».
Memory security — is protection against bugs and vulnerabilities related to memory access. Buffer overflows and freezes are examples of this. Java is considered a memory-safe language because of its runtime error detection checking. However, C and C++ allow arbitrary arithmetic with pointers to direct memory addresses without bounds checking.
In 2019, Microsoft security engineers reported that about 70% of vulnerabilities were caused by memory security issues. In 2020, Google reported the same figure, but for bugs found in the Chromium browser, transmits Tom’s Hardware.
Recommended programming languages that the NSA considers safe for memory
- Rust
- Go
- C#
- Java
- Swift
- JavaScript
- Ruby
The report also calls for better measurement of software security. ONCD believes that better metrics enable technology vendors to better plan, anticipate, and mitigate vulnerabilities before they become a problem.