The US government recommends avoiding C or C++ programming tools. In a new report, the White House National Cyber Director's Office (ONCD) urged developers to use "memory-safe programming languages." The advice is a step towards "protecting the building blocks of cyberspace."
Memory safety is protection against bugs and vulnerabilities related to memory access. Buffer overflow and dangling pointer are examples of this. Java is considered a memory-safe language due to runtime error detection. However, C and C++ allow arbitrary pointer arithmetic with direct memory addresses without boundary checking.
In 2019, Microsoft security engineers reported that about 70% of vulnerabilities were caused by memory safety issues. In 2020, Google reported the same figure, but for bugs found in the Chromium browser, according to Tom's Hardware.
Recommended programming languages that the NSA considers memory-safe
- Rust
- Go
- C#
- Java
- Swift
- JavaScript
- Ruby
The report also calls for better measurement of software security. ONCD believes that better metrics allow technology providers to better plan, anticipate, and mitigate vulnerabilities before they become a problem.
Comments (0)
There are no comments for now