Change language

Bjørn Straustrup responds to the US NSA’s recommendation to abandon the use of C and C++

Bjørn Straustrup, inventor of the C++ programming language, responded to the US National Security Agency (NSA) about the agency's recommendation to abandon the use of C and C++, which shift memory management to modern programming languages (C#, Go, Java, Ruby, Rust and Swift) that provide automatic memory management or perform safe memory handling checks during code compilation.

Bjørn Straustrup responds to the US NSA's recommendation to abandon the use of C and C++

Straustrup urged the NSA for its part to first think seriously about the "security" of new languages and only then propose something sensible about it.

The scientist and developer believes that the "safe" programming languages mentioned in the NSA report are not actually superior to C++ in important applications from his point of view. In particular, C++ Core Guidelines which have been developing for the last years cover safe programming practices and prescribe to developers to use means which guarantee safe work with types and resources. However, developers who don't require such strict security safeguards are left free to use the old development methods for their projects.

Straustrup explained that a good static analyzer complying with C++ Core Guidelines can provide necessary guarantees of C++ code security and is much less expensive than upgrading to newer secure programming languages. For example, most of the Core Guidelines recommendations are implemented in the static analyzer and safe memory handling profile included into Microsoft Visual Studio. Some of the security guidelines are also implemented in the Clang tidy static analyser.

Straustrup criticised the NSA report for focusing only on memory handling issues, leaving out many other programming language issues that affect the security and reliability of projects.

As part of Stroustrup's vision, one must see security as a broader concept, the various facets of which can be achieved through a combination of writing style, the use of proven libraries and static analyzers.

Straustrup also suggests using annotations in code and compiler options to control the inclusion of rules to ensure that types and resources are handled safely. In his view, not everyone puts security first. For example, in applications where performance is more important than security, this approach allows you to selectively apply security features only where they are needed. The security enhancement tools can also be partially applied, such as limiting the scope and initialization rules at the beginning and then gradually adapting the code to more stringent requirements.

Straustrup assured that security issues are not ignored in the C++ community, as that would be very damaging to many projects. And focusing solely on security makes it difficult to make something usable and workable that will stick in projects immediately.

At the end of his response, Straustrup suggested that the NSA should consult in the future on the security of programming languages not with a hypothetical "comprehensive software development community" but with subject matter experts and specialists in the ISO C++ standards committee.

In November 2022, the NSA released a report indicating that the widely used C and C++ programming languages give hackers more opportunities to exploit. The NSA therefore recommends that organisations switch to secure programming languages such as C#, Go, Java, Ruby, Rust and Swift. According to experts, this will help prevent certain types of memory-related vulnerabilities from occurring. 

Shop

Gifts for programmers

Learn programming in R: courses

$FREE
Gifts for programmers

Best Python online courses for 2022

$FREE
Gifts for programmers

Best laptop for Fortnite

$399+
Gifts for programmers

Best laptop for Excel

$
Gifts for programmers

Best laptop for Solidworks

$399+
Gifts for programmers

Best laptop for Roblox

$399+
Gifts for programmers

Best computer for crypto mining

$499+
Gifts for programmers

Best laptop for Sims 4

$

Latest questions

PythonStackOverflow

Common xlabel/ylabel for matplotlib subplots

1947 answers

PythonStackOverflow

Check if one list is a subset of another in Python

1173 answers

PythonStackOverflow

How to specify multiple return types using type-hints

1002 answers

PythonStackOverflow

Printing words vertically in Python

909 answers

PythonStackOverflow

Python Extract words from a given string

798 answers

PythonStackOverflow

Why do I get "Pickle - EOFError: Ran out of input" reading an empty file?

606 answers

PythonStackOverflow

Python os.path.join () method

384 answers

PythonStackOverflow

Flake8: Ignore specific warning for entire file

360 answers

News


Wiki

Python | How to copy data from one Excel sheet to another

Common xlabel/ylabel for matplotlib subplots

Check if one list is a subset of another in Python

How to specify multiple return types using type-hints

Printing words vertically in Python

Python Extract words from a given string

Cyclic redundancy check in Python

Finding mean, median, mode in Python without libraries

Python add suffix / add prefix to strings in a list

Why do I get "Pickle - EOFError: Ran out of input" reading an empty file?

Python - Move item to the end of the list

Python - Print list vertically