Software Makers Encouraged to Stop Using C/C++ through 2026

Software Makers Encouraged to Stop Using C/c++ by 2026

Software Makers Encouraged to Stop Using C/C++ through 2026

Home ยป News ยป Software Makers Encouraged to Stop Using C/C++ through 2026
Table of Contents

The federal executive is encouraging application producers to ditch C/C++ and take different movements that might โ€œreduce customer risk,โ€ in line with the Product Security Best Practices file. In specific, CISA and the FBI set a cut-off date of Jan. 1, 2026, for compliance with reminiscence security pointers.

The file covers pointers and proposals slightly than necessary regulations, in particular for application producers who paintings on vital infrastructure or nationwide vital purposes. The businesses particularly highlighted on-premises application, cloud products and services, and software-as-a-service.

While it isnโ€™t immediately said that the usage of โ€˜unsafeโ€™ languages may disqualify producers from executive paintings, and the file is โ€œnon-binding,โ€ the message is simple: Such practices are irrelevant for any paintings labeled as related to nationwide safety.

โ€œBy following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key Secure by Design principle,โ€ the file states.

Memory-unsafe programming languages introduce attainable flaws

The file describes memory-unsafe languages as โ€œdangerous and significantly elevates risk to national security.โ€ Development in memory-unsafe languages is the primary observe the file mentions.

Memory security has been a subject of dialogue since no less than 2019. Languages like C and C++ โ€œprovide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references.โ€ a 2023 NSA file on reminiscence security said. However, the file persisted, the ones languages lack inherent reminiscence protections that will save you reminiscence control problems. Threat actors can exploit reminiscence problems that may stand up in the ones languages.

What application producers must do through January 2026

By Jan. 1, 2026, producers must have:

  • A reminiscence security roadmap for present merchandise written in memory-unsafe languages, which โ€œshould outline the manufacturerโ€™s prioritized approach to eliminating memory safety vulnerabilities in priority code components.โ€
  • An illustration of ways the memory-safety roadmap will scale back memory-safety vulnerabilities.
  • An illustration of โ€œreasonable effortโ€ in following the roadmap.
  • Alternatively, producers must use a memory-safe language.

Memory-safe languages licensed through the NSA come with:

  • Python.
  • Java.
  • C#.
  • Go.
  • Delphi/Object Pascal.
  • Swift.
  • Ruby.
  • Rust.
  • Ada.

SEE: Benefits, dangers, and perfect practices of password managers (roosho)

Other โ€˜bad practicesโ€™ range from deficient passwords to loss of disclosures

Other practices categorized โ€œexceptionally riskyโ€ through CISA and the FBI come with:

  • Allowing user-provided enter immediately within the uncooked contents of a SQL database question string.
  • Allowing user-provided enter immediately within the uncooked contents of an working machine command string.
  • Using default passwords. Instead, producers must make sure that their product supplies โ€œrandom, instance-unique initial passwords,โ€ calls for the customers to create new passwords in the beginning of the set up procedure, calls for bodily get right of entry to for preliminary setup, and transitions present deployments clear of default passwords.
  • Releasing a product containing a vulnerability from CISAโ€™s Known Exploited Vulnerabilities (KEV) Catalog.
  • Using open supply application with identified exploitable vulnerabilities.
  • Failing to leverage multifactor authentication.
  • Lacking the potential to collect proof of intrusion if an assault does happen.
  • Failing to post well timed CVEs together with the Common Weakness Enumeration (CWE), which signifies the kind of weak spot underlying the CVE.
  • Failing to post a vulnerability disclosure coverage.

The complete file contains really useful subsequent steps organizations can use to agree to the businessesโ€™ pointers.

author avatar
roosho Senior Engineer (Technical Services)
I am Rakib Raihan RooSho, Jack of all IT Trades. You got it right. Good for nothing. I try a lot of things and fail more than that. That's how I learn. Whenever I succeed, I note that in my cookbook. Eventually, that became my blog.ย 
share this article.

ADVERTISEMENT

ADVERTISEMENT

Enjoying my articles?

Sign up to get new content delivered straight to your inbox.

Please enable JavaScript in your browser to complete this form.
Name