The US government has warned companies and software developers about “bad practices” in product development, including the use of C and C++ programming languages. With the publication ‘ Poor product security practices ‘, the FBI and CISA provide an overview of risky methods and work methods, especially for software companies developing software for vital infrastructure and national security. The document specifically looks at product features, security features, and organizational processes and policies that describe how a software company addresses security.
The use of memoryless programming languages is described by the FBI and CISA as dangerous and “significantly” increases the risk to national security, national economic security, public health and public safety.
For existing software created in a ‘non-memory-safe’ programming language, a roadmap must be available by January 1, 2026, in which the developer describes how to switch to a ‘memory-safe’ programming language or use hardware options to avoid security vulnerabilities. This concerns, for example, buffer overflows, which in the worst case can allow an attacker to execute arbitrary code on systems.
Other things the US government warns about are user input into SQL query strings as this can lead to SQL injection, the presence of default passwords, the presence of known exploitable vulnerabilities, the presence of software open source with known exploitable vulnerabilities, the lack of multi-factor authentication (MFA), failure to timely publish CVE numbers for vulnerabilities found, and failure to publish vulnerability disclosure policies for reporting vulnerabilities.
See the original post at: CisoAdvisor
