Using C or C++ Invites Cybersecurity Risks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The White House is calling on the tech industry to use programming languages that are less vulnerable to cyberattacks.

In a new report, the White House examines programming languages as the “primary building block” of the nation’s cybersecurity. “Programmers writing lines of code do not do so without consequence; the way they do their work is of critical importance to the national interest,” it says.

Moving to memory-safe languages can help prevent cyberattacks that have “vexed” the nation’s cybersecurity infrastructure for 35 years, according to the report, which notes that some of the most infamous cyberattacks were caused by memory safety vulnerabilities, such as the Morris worm of 1988 and the Heartbleed vulnerability in 2014.

Non-memory safe languages include C and C++, both of which are commonly used today. Memory safe languages include Rust, Go, C#, Java, Swift, Python, and JavaScript, SD Times reports. Switching to the latter, especially in new products, can deliver “significant security benefits,” the report says.

Those in the tech industry seem to agree. “By taking an engineering-first approach to cybersecurity policy, the White House is providing an actionable roadmap,” says Shyam Sankar, CTO at Palantir, according to Developer News.

Overhauling existing code may be out of the question, however. “Software quality would be greatly improved if we could somehow wave a magic wand and have all existing software translated to a memory-safe language,” Dan Boneh, professor of computer science, Stanford University, tells Developer News. “Unfortunately, such a magic wand does not yet exist.”

The White House recommends a “hybrid approach” to existing codebases. “For example, software developers can identify the critical functions or libraries based on risk criteria and prioritize efforts to rewrite those first.”

The report also calls for the creation of standardized metrics to the cybersecurity level of software. While doing so has proven challenging in the past, it would help inform policies and incentivize secure software development.


Click Here For The Original Source.

National Cyber Security