According to the Product Security Best Practices report, the federal government is urging software manufacturers to switch from C/C++ and adopt additional measures that could “reduce consumer risk.” In particular, CISA and the FBI set a timeframe of Jan. 1, 2026, for conformity with remembrance safety rules.
The report includes tips and suggestions rather than strict regulations, especially for software companies who work on crucial infrastructure or national-critical tasks. The agencies especially highlighted on-premises technology, cloud providers, and software-as-a-service.
While it is n’t explicitly stated that using’ illegal’ languages may preclude manufacturers from government work, and the report is “non-binding”, the message is clear: For practices are unsuitable for any work classified as appropriate to regional security.
Manufacturers will indicate to clients that they are taking control of user protection outcomes, a crucial Secure by Design principle, by adhering to the recommendations in this assistance, the statement states.
Memory-unsafe programming language introduce possible flaws
Memory-unsafe languages are described in the report as “dangerous and substantially raises threat to national safety.” The first thing the report mentions is the development of memory-unsafe language.
Since at least 2019, storage health has been a hot topic. Languages like C and C++ “abound in freedom and flexibility in memory supervision while heavily relying on the computer to carry out the necessary checks on storage references.” a 2023 NSA statement on memory health stated. However, the report continued, those language lack natural memory protections that may prevent storage management problems. In those dialects, danger actors can abuse storage issues that may arise.
What application developers ought to accomplish by January 2026
By Jan. 1, 2026, companies may include:
- A memory health strategy for existing products written in memory-unsafe languages, which” should describe the product’s valued approach to eliminating memory safety vulnerabilities in priority code components”.
- A show of how the memory-safety strategy will decrease memory-safety threats.
- A show of “reasonable energy” in following the strategy.
- Furthermore, manufacturers should employ a memory-safe language.
Memory-safe language approved by the NSA include:
- Python.
- Java.
- C#.
- Go.
- Delphi/Object Pascal.
- Swift.
- Ruby.
- Rust.
- Ada.
SEE: Benefits, risks, and best practices of password managers ( TechRepublic )
Different’ poor practices’ vary from bad passwords to absence of disclosures
Various techniques labeled “exceptionally difficult” by CISA and the FBI include:
- allowing user-provided insight to be immediately inserted into a SQL database query string’s fresh contents.
- allowing user-provided insight to be immediately inserted into an operating system command string’s fresh contents.
- Using proxy passwords. Instead, manufacturers may guarantee their product provides “random, instance-unique first passwords”, requires the users to generate new passwords at the start of the installation process, requires natural access for initial setup, and transitions existing deployments apart from default passwords.
- releasing a product that violates CISA’s Known Exploited Vulnerabilities (KEV ) Catalog.
- Using open source software with known exploitable vulnerabilities.
- Failing to leverage multifactor authentication.
- Having no ability to gather intrusive evidence if an attack does occur.
- failing to publish timely CVEs, including the Common Weakness Enumeration ( CWE), which identifies the level of weakness that underlies the CVE.
- failing to disclose vulnerability policies.
The full report includes suggestions for next steps businesses can take to adhere to the guidelines set forth by the organizations.
