Why The Biden Admin Is Telling Programmers To Avoid C And C++
For context, cybersecurity vulnerabilities are tracked in a variety of ways online, such as with the Known Exploited Vulnerabilities (KEV) Catalog from the Cybersecurity and Infrastructure Security Agency (CISA). These sorts of catalogs and independent research from organizations like MITRE can give us insights into what are some of the biggest problems in software and hardware, which can be boiled down in the Common Weaknesses Enumeration. The CWE list compiles all the top weaknesses, which in 2023 was led by a memory corruption weakness found prevalently with C and C++ programs.
The ONCD report notes this with references to several past vulnerabilities that were exploited with great success, such as the recent BLASTPASS chain and the past Heartbleed problem. As alluded, the common denominator here is the programming language, and as such, the “highest leverage method to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language.”
As such, the Administration and other government agencies, such as the National Security Agency, recommend that developers move toward memory-safe programming languages to help eliminate this class of vulnerabilities. This list of languages includes Rust, Go, C#, Python, and several others which has been published.