This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs).
It’s just the obvious thing. C and C++ don’t have safeguards against dangerous programming mistakes. Programming languages exist that do. There are to this day still software vulnerabilities being caused by subtly incorrect code that C and C++ require being treated as legitimate.
C and C++ don’t have safeguards against dangerous programming mistakes.
This is not really true for modern C++… and if you’re talking about code bases that use an ancient dialect of C++ where it might be true, the fantasy of even having the option of porting to Rust is actually pretty laughable. C will continue to be necessary for many critical things because there simply isn’t sufficient compiler support coverage for Rust to take the throne.
The difference here is that it takes discipline and training to use only those parts of C++. That requires humans in the loop to enforce those decisions. Humans are fallible.
If you make it impossible at the language level then there’s nothing to train. You just can’t do the thing unintentionally.
And they didn’t specify Rust; the aerospace industry has been using Ada for decades when it comes to mission critical stuff. Ada’s compiler has long had a similar notoriety to rust’s regarding the difficulty curve.
My guess would also be that most enterprises prefer Ada over Rust, because Rust lack standardisation. Sometimes you need to do unsafe things though and your billion dollar rocket explode.
It’s just the obvious thing. C and C++ don’t have safeguards against dangerous programming mistakes. Programming languages exist that do. There are to this day still software vulnerabilities being caused by subtly incorrect code that C and C++ require being treated as legitimate.
This is not really true for modern C++… and if you’re talking about code bases that use an ancient dialect of C++ where it might be true, the fantasy of even having the option of porting to Rust is actually pretty laughable. C will continue to be necessary for many critical things because there simply isn’t sufficient compiler support coverage for Rust to take the throne.
The difference here is that it takes discipline and training to use only those parts of C++. That requires humans in the loop to enforce those decisions. Humans are fallible.
If you make it impossible at the language level then there’s nothing to train. You just can’t do the thing unintentionally.
And they didn’t specify Rust; the aerospace industry has been using Ada for decades when it comes to mission critical stuff. Ada’s compiler has long had a similar notoriety to rust’s regarding the difficulty curve.
My guess would also be that most enterprises prefer Ada over Rust, because Rust lack standardisation. Sometimes you need to do unsafe things though and your billion dollar rocket explode.