Biden Administration Advocates for Memory-Safe Languages, Urges Shift from C and C++ to Mitigate Security Risks
The Biden administration has issued a strong directive urging software developers to transition from traditional languages like C and C++ to those that offer better memory safety. This call comes from the White House Office of the National Cyber Director (ONCD) and aims to tackle a significant portion of security vulnerabilities found in modern software systems.
In a report released on August 26, the ONCD highlighted the critical need for memory-safe programming languages to mitigate risks associated with cyberattacks. The White House emphasized that adopting such languages could drastically reduce the incidence of vulnerabilities related to memory access, such as buffer overflows and out-of-bounds reads. These types of vulnerabilities are notoriously difficult to manage and have been linked to approximately 70 percent of all security issues, according to recent studies by Microsoft and Google.
Memory-safe languages are designed to protect against these common errors by ensuring that the program does not accidentally access or modify memory it shouldn’t. This approach could substantially enhance the overall security posture of software systems by preventing entire classes of vulnerabilities from being introduced. National Cyber Director Harry Coker underscored the national responsibility to address these critical security challenges by adopting safer programming practices.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also been vocal about the benefits of memory-safe programming languages. In a September blog post, CISA echoed the ONCD’s recommendations, aligning with a broader effort that includes contributions from the FBI, NSA, and international allies. Their collective report, “The Case for Memory Safe Roadmaps,” released in December, supports the move towards languages that are inherently designed to avoid common security pitfalls.
The ONCD report specifically cited C and C++ as examples of languages with well-documented memory safety vulnerabilities. In contrast, languages such as Rust were highlighted for their robust memory safety features. Other languages considered to be memory-safe include C#, Go, Java, Ruby, and Swift, according to an NSA cybersecurity information sheet from November 2022.
Despite the push for memory safety, C and C++ remain popular among developers. Statistics from 2023 show that 22 percent of software programmers use C++, and 19 percent use C. However, in the broader context of programming language popularity, Python leads, followed by C, C++, and Java, according to the TIOBE Programming Community index. This ongoing reliance on older, less safe languages poses a challenge for achieving the security improvements sought by the administration.