Should you say goodbye to C/C++ development? CISA says you should by 2026 due to cybersecurity concerns

Things change with time. Earlier in my career, most of the software products I was responsible for were built using C/C++, and it was common that being good at it required really good programming skills from the developer. I also remember running into bugs caused by memory "pointers," which were hard to find. However, C/C++ languages were the most efficient in memory-constrained environments, especially in the embedded software space. My teams built analytics/data warehousing solutions with C/C++, especially for ETL functionality, and graphical user interfaces for reporting. C/C++ was the only choice at the time if you wanted to build something robust and fast.

When leading due diligence projects for private equity firms in the cybersecurity/IT space, I had a real wake-up call about cybersecurity and independent software vendors (ISVs). These PE firms want to ensure that the solutions acquired will be secure and do not impose liability on the buyer. I am not convinced that all software vendors realize the importance of investing in security on the level they should. I think it will become one of the key factors for organizations buying software, and therefore, software organizations really need to invest in understanding what security means when building solutions.

Microsoft's CEO Satya Nadella released a memo to its employees in May 2024 listing three core principles in its Secure Future Initiative (SFI), and the three core principles are as follows:

• Secure by Design: Security comes first when designing any product or service.
• Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
• Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a stark warning about basic security failures that continue to plague critical infrastructure. They have?released a report?on Product Security Bad Practices, especially when using memory-unsafe programming languages like C and C++.

The warning is especially focused on the development of new products used in the service of critical infrastructure or National Critical Functions (NCFs), where alternative memory-safe languages could be used.

The report divides bad practices into three categories as follows:

1. Product properties, which describe the observable, security-related qualities of a software product.
2. Security features, which describe the security functionalities that a product supports.
3. Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.

Furthermore, the report aims at software vendors who develop software products and services, including on-premises software, cloud services, and SaaS used to support critical infrastructure or NCFs.

The recommendation is that software vendors should follow the "Secure by Design Principle" outlined by CISA.

• As a solution customer, you should ask yourself: Does this software vendor design and build software solutions securely?
• You, as the software vendor, should ask the question: Do we invest enough resources in security-related design and understand what it takes to build secure solutions?

I would love to hear your thoughts on this topic. If you are in the software development world, either as a software vendor or as a vendor delivering solutions, you should have this on your mind.

Yours,

Dr. Petri I. Salonen

PS. If you would like to get my business model in the AI Era newsletters to your inbox on a weekly or bi-weekly basis, you can subscribe to them here on LinkedIn https://www.dhirubhai.net/newsletters/business-models-in-the-ai-era-7165724425013673985/