This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs).
They figured out some security hole in C++ programs that makes them even worse than we thought
Some contractor bribed them to say this so that they can get contracts porting stuff to Rust
Some contractor dug up new legitimate security holes in C++ programs so they can convince the FBI to say this so they can get contracts porting stuff to Rust
High ranking FBI officials are rust fanboys
I think contractor bribes, but I think that last two are fun.
It’s just the obvious thing. C and C++ don’t have safeguards against dangerous programming mistakes. Programming languages exist that do. There are to this day still software vulnerabilities being caused by subtly incorrect code that C and C++ require being treated as legitimate.
C and C++ don’t have safeguards against dangerous programming mistakes.
This is not really true for modern C++… and if you’re talking about code bases that use an ancient dialect of C++ where it might be true, the fantasy of even having the option of porting to Rust is actually pretty laughable. C will continue to be necessary for many critical things because there simply isn’t sufficient compiler support coverage for Rust to take the throne.
The difference here is that it takes discipline and training to use only those parts of C++. That requires humans in the loop to enforce those decisions. Humans are fallible.
If you make it impossible at the language level then there’s nothing to train. You just can’t do the thing unintentionally.
And they didn’t specify Rust; the aerospace industry has been using Ada for decades when it comes to mission critical stuff. Ada’s compiler has long had a similar notoriety to rust’s regarding the difficulty curve.
My guess would also be that most enterprises prefer Ada over Rust, because Rust lack standardisation. Sometimes you need to do unsafe things though and your billion dollar rocket explode.
Which do you think happened?
Honest appraisal of C++ security problems
They figured out some security hole in C++ programs that makes them even worse than we thought
Some contractor bribed them to say this so that they can get contracts porting stuff to Rust
Some contractor dug up new legitimate security holes in C++ programs so they can convince the FBI to say this so they can get contracts porting stuff to Rust
High ranking FBI officials are rust fanboys
I think contractor bribes, but I think that last two are fun.
All wrong! It’s because Rust is WOKE!
It’s just the obvious thing. C and C++ don’t have safeguards against dangerous programming mistakes. Programming languages exist that do. There are to this day still software vulnerabilities being caused by subtly incorrect code that C and C++ require being treated as legitimate.
This is not really true for modern C++… and if you’re talking about code bases that use an ancient dialect of C++ where it might be true, the fantasy of even having the option of porting to Rust is actually pretty laughable. C will continue to be necessary for many critical things because there simply isn’t sufficient compiler support coverage for Rust to take the throne.
The difference here is that it takes discipline and training to use only those parts of C++. That requires humans in the loop to enforce those decisions. Humans are fallible.
If you make it impossible at the language level then there’s nothing to train. You just can’t do the thing unintentionally.
And they didn’t specify Rust; the aerospace industry has been using Ada for decades when it comes to mission critical stuff. Ada’s compiler has long had a similar notoriety to rust’s regarding the difficulty curve.
My guess would also be that most enterprises prefer Ada over Rust, because Rust lack standardisation. Sometimes you need to do unsafe things though and your billion dollar rocket explode.