US government wants businesses to stop using C and C++, claims they are insecure

A developer writing code
(Image credit: Shutterstock / Elle Aon)

  • US government agencies speak out about memory-unsafe languages
  • C/C++ are a “risk to national security,” the economy, public health and safety
  • Developers working with critical infrastructure advised to follow further guidance

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have advised businesses not to use the popular C and C++ programming languages, citing security concerns.

The joint report, titled ‘Product Security Bad Practices,’ forms part of the CISA’s ‘Secure by Design’ initiative, and hopes to guide software manufacturers away from risky practices when creating products for critical infrastructure.

Using memory-unsafe languages, like C and C++, was highlighted as one of the key threats to security in the report.

CISA and FBI warn against use of C/C++

Described as “dangerous” and a “risk to national security, national economic security, and national public health and safety,” the agencies advise against using memory-unsafe languages where memory-safe languages are a viable alternative.

Other recommended action includes publishing a memory safety roadmap by January 1, 2026, detailing steps to address vulnerabilities, particularly for sensitive components, however products with support ending before January 1, 2030 will be exempt from this guidance.

More broadly, a Stack Overflow survey of more than 3,000 UK developers last month revealed that nearly two-thirds (63%) of developers in Britain preferred JavaScript, which is a memory-safe language.

The agencies also highlight some common security oversights, suggesting that companies build products in such a way that they prevent the introduction of SQL injection vulnerabilities and command injection vulnerabilities. The advisory also recommends avoiding using default passwords by requiring the use of secure credentials upon installation.

In terms of ongoing support, the two agencies also call for companies to issue CVEs in a “timely manner,” particularly for critical and high-impact vulnerabilities, whether they are discovered internally or by a third party.

Full details of the advisory can be found on the CISA’s website.

You might also like

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Read more
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
A close-up of an interent search bar with 'http://ww' visible
US government warns this popular CMS software has a worrying security flaw
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
Latest in Pro
A person using a smartphone with a cybersecurity lock symbol appearing over it.
The growing threat of device code phishing and how to defend against It
Cybersecurity
Why OT security needs exposure management to break the cycle of endless patching
Employees sat around together discussing business issues.
AI deregulation: what smart leaders do when the rules go off the rails
Branch office chairs next to a TechRadar-branded badge that reads Big Savings.
This office chair deal wins the Amazon Spring Sale for me and it's so good I don't expect it to last
Saily eSIM by Nord Security
"Much more than just an eSIM service" - I spoke to the CEO of Saily about the future of travel and its impact on secure eSIM technology
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Latest in News
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring