NSA asks not to program in C/C++ Link to heading
Below is direct quote from a report published by NSA last year in 2022.
NSA advises organizations to consider making a strategic shift from programming languages that provide little or no inherent memory protection, such as C/C++, to a memory safe language when possible.
C and C++ are two of the most popular system languages, used extensively in high-performance applications such as operating systems, device drivers, and game engines. However, one of the biggest problems with these languages is their tendency to introduce memory bugs such as buffer overflows, use-after-free errors, and the infamous null pointer dereferences, which can cause security vulnerabilities and system crashes.
According to a 2019 report published by Microsoft, nearly 70% of all vulnerabilities discovered in their systems are due to memory safety issues in C/C++ code. Google in 2021 also reported similar percentage of memory-safety bugs in Chrome. These findings highlight the severity of the problem and the need to move towards safer alternatives.
While it’s possible to avoid these errors, asking developers to write completely bug-free code is unrealistic, especially when dealing with millions of lines of code. Even the Linux kernel, which is written by some of the world’s best C programmers, has over 2,000 open bugs related to memory as of today.
This is why NSA is asking to move away from C/C++. Specifically, NSA lists C#, Go, Java, Ruby, Rust, and Swift as examples of memory-safe languages to adopt. Unfortunately, most of the memory-safe languages are not suitable replacements for C/C++ in high-performance applications. Garbage collectors can introduce overhead and latency that can negatively impact performance, especially in real-time systems. While Rust is a potential alternative, it is still relatively new and may take years to gain popularity.
In conclusion, while it may not be possible to completely stop using C/C++, organizations and developers should consider using memory-safe languages for new projects.