Software makers are encouraged to abandon C/C++ and take other steps that can “reduce customer risk,” according to the Product Security Best Practices report released October 16. In particular, CISA and the FBI have set a deadline of January 1, 2026, for compliance with memory security guidelines.
The report covers guidelines and recommendations rather than mandatory rules, particularly for software manufacturers working on critical infrastructure or national critical functions. Agencies specifically highlighted on-premises software, cloud services and software as a service.
Although it is not directly stated that the use of “dangerous” language could disqualify manufacturers from government work, and the report is “non-binding,” the message is simple: such practices are inappropriate for any classified work as relevant to national security.
“By following the recommendations in this guide, manufacturers will signal to customers that they take ownership of customer security outcomes, a key principle of Secure by Design,” the report states.
Memory-Insecure Programming Languages Introduce Potential Vulnerabilities
The report describes memory-damaging languages as “dangerous and significantly increases the risk to national security.” Developing in memory-hazardous languages is the first practice mentioned in the report.
Memory safety has been a topic of discussion since at least 2019. Languages like C and C++ “offer a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform necessary checks on memory references”. A 2023 NSA Memory Security Report declared. However, the report continues, these languages do not have inherent memory protections that would prevent memory management issues. Threat actors can exploit memory problems that might arise in these languages.
What software makers should do by January 2026
By January 1, 2026, manufacturers should have:
- A memory security roadmap for existing products written in insecure languages, which “should describe the manufacturer’s priority approach to eliminating memory security vulnerabilities in priority code components.”
- A demonstration of how the Memory Security Roadmap will reduce memory security vulnerabilities.
- A demonstration of a “reasonable effort” to follow the roadmap.
- Manufacturers must also use memory-safe language.
Memory-safe languages approved by the NSA include:
- Python.
- Java.
- C#.
- Go.
- Delphi/Object Pascal.
- Fast.
- Ruby.
- Rust.
- Ada.
SEE: Benefits, risks and best practices of password managers (TechRepublic)
Other “bad practices” range from bad passwords to lack of disclosure.
Other practices labeled “exceptionally risky” by CISA and the FBI include:
- Allow user-supplied input directly into the raw content of an SQL database query string.
- Allow user-supplied input directly into the raw content of an operating system command string.
- Using default passwords. Instead, manufacturers must ensure that their product provides “random, instance-unique initial passwords” that they require users to create new passwords at the start of the installation process. , require physical access for initial setup, and move existing deployments away from default passwords.
- Releasing a Product Containing a CISA Vulnerability Catalog of Known Exploited Vulnerabilities (KEV).
- Use of open source software with known exploitable vulnerabilities.
- Lack of multi-factor authentication.
- Lack of ability to collect evidence of intrusion in the event of an attack.
- Failure to timely publish CVEs, including the Common Weakness Enumeration (CWE), which indicates the type of weakness underlying the CVE.
- Failure to publish a vulnerability disclosure policy.
The full report includes recommended next steps that organizations can take to comply with agency guidance.