US National Security Agency recommends using memory safe programming languages instead of C/C++ when possible, because hackers frequently exploit memory issues. Credit: MysteryShot / Getty Images The creator of C++, Bjarne Stroustrup, is defending the venerable programming language after the US National Security Agency (NSA) recently recommended against using it. NSA advises organizations to use memory safe languages instead. Responding to the agency’s November 2022 bulletin on software memory safety, Stroustrup, who designed C++ in 1979, stressed decades-long efforts to enable better, safer, and more efficient C++. “In particular, the work on the C++ Core Guidelines specifically aims at delivering statically guaranteed type-safe and resource-safe C++ for people who need that without disrupting code bases that can manage without such strong guarantees or introducing additional tool chains,” Stroustrup said in a published response. The NSA bulletin recommends against the use of C/C++ because, despite programmers often performing rigorous testing to ensure code is safe, memory issues in software still comprise a large portion of exploited vulnerabilities. “NSA advises organizations to consider making a strategic shift from programming languages that provide little or no inherent memory protection, such as C/C++, to a memory-safe language when possible,” the agency said. The agency cited memory-safe languages such as C#, Go, Java, Ruby, Rust, and Swift.” NSA said commonly used languages such as C and C++ provide freedom and flexibility in memory management while heavily relying on the programmer to perform checks on memory references. But Stroustrup emphasized improvements to safety. “Now, if I considered any of those ‘safe’ languages superior to C++ for the range of uses I care about, I wouldn’t consider the fading out of C/C++ as a bad thing, but that’s not the case. Also, as described, ‘safe’ is limited to memory safety, leaving out on the order of a dozen other ways that a language could (and will) be used to violate some form of safety and security.” He also lamented NSA’s memo pairing C++ with the older C language. C++, originally called C with Classes, is an extension of C. “As is far too common, it lumps C and C++ into the single category C/C++, ignoring 30-plus years of progress.” In an email to InfoWorld late last week, Stroustrup added, “Yes, far too many people talk about the mythical C/C++ language and then often proceed to focus on the weaknesses of the C part. Many of those weaknesses can be avoided in C++; typically, by writing more-efficient code that more directly expresses the intent of the programmer.” Stroustrup in the email also shared his definition of safety: He aims for type and resource safety, in which every object is used according to its type and no resource is leaked. For C++, this implies some runtime range checking, eliminating access through dangling pointers, and avoiding misuses of casts and unions. C++ offers high-level facilities, such as containers, span, range-for loops, and variants that can offer guarantees without damaging productivity or efficiency. Regarding the so-called safe languages the NSA cited, Stroustrup said all of the languages are vulnerable through code that is not statically verified. Further, every system must use hardware, and effective hardware access is rarely safe, he said. Stroustrup outlined his strategy for safe use of C++: Static analysis to verify that no unsafe code is executed. Coding rules to simplify the code to make industrial-scale static analysis feasible. Libraries to make such simplified code reasonably easy to write and ensure runtime checks where needed. Stroustrup said there are millions of C++ programmers and billions of lines of C++ code. Primary current uses for the language include aerospace, medical instrumentation, AI/ML, graphics, bio-medicine, high-energy physics, and others. NSA acknowledged that memory management is not entirely safe even in a “memory-safe” language and that mechanisms such as static and dynamic application security testing (SAST and DAST) can be used to improve memory safety in so-called non-memory-safe languages. But neither SAST nor DAST can make non-memory-safe code totally safe, NSA said. Related content feature What is Rust? Safe, fast, and easy software development Unlike most programming languages, Rust doesn't make you choose between speed, safety, and ease of use. Find out how Rust delivers better code with fewer compromises, and a few downsides to consider before learning Rust. By Serdar Yegulalp Nov 20, 2024 11 mins Rust Programming Languages Software Development how-to Kotlin for Java developers: Classes and coroutines Kotlin was designed to bring more flexibility and flow to programming in the JVM. Here's an in-depth look at how Kotlin makes working with classes and objects easier and introduces coroutines to modernize concurrency. By Matthew Tyson Nov 20, 2024 9 mins Java Kotlin Programming Languages news F# 9 adds nullable reference types Latest version of Microsoft’s functional .NEt programming language provides a type-safe way to handle reference types that can have null as a valid value. By Paul Krill Nov 18, 2024 3 mins Microsoft .NET Programming Languages Software Development news Go language evolving for future hardware, AI workloads The Go team is working to adapt Go to large multicore systems, the latest hardware instructions, and the needs of developers of large-scale AI systems. By Paul Krill Nov 15, 2024 3 mins Google Go Generative AI Programming Languages Resources Videos