Another week, another post defending C/C++ from memory safety critics, and another major vulnerability in Azure caused by memory safety. The blog does a good job of trying to explain how new C++ features could make it harder for memory safety vulnerabilities to occur, but then it unfortunately reuses the common trope of "but log4shell didn't have anything to do with memory safety!". This is just another "no silver bullet" fallacy, and a waste of everyone's time. Of course application/logic bugs can still be introduced, memory safety doesn't cure cancer but it does eliminate 70%+ of *all* vulnerabilities to date. There's no excuse to not fix this and just use memory safe languages today. I'm thrilled at the bold work CISA and the US Government have done in this area recently, their "hammer" approach will actually move the needle. It's a *good thing* if we start discovering and fixing more application/logic bugs as a result of moving to memory safe languages. That's how security works! This is like saying "why bother encrypting traffic, users reuse passwords anyway!". Come on, we're all smarter than this. Attackers are smart too and will move to the next easiest way to attack, but eliminating the low hanging fruit makes their jobs harder, our jobs easier, and gives us more time to focus on the next thing. It's unsafe and irresponsible to continue building critical applications in non-memory safe languages. Stop rationalizing it, accept it, and move on to defend the more interesting attacks! Blog: https://lnkd.in/e85SEAQr Azure Vulnerability: https://lnkd.in/eS_EtUa7 #memorysafety #c++ #omigod #azure #cybersecurity
Alex Levit
8mo
Dan Lorenc Do you think it is worth applying the principles of memory safety to the domains such as microcontrollers, OS kernel, etc. considering their inherent need for performance and direct hardware control?
I liked it! All fire up 🔥🔥🔥🚒 … we cannot wait for silver bullets to move the needle in security.
Your consultant and trainer for software development. Investors and Investees (Fintech/Edtech): Contact me for cooperation / Hamburg/Berlin/Germany/Europe/World
9moProgramming in C++ is like driving a sports car. It can be dangerous - but it is also a lot of fun and fast. Would you let a young driver start with a +500 hp sports car? Probably not. Speeding is a top problem with young drivers (over 30% of fatal accidents). It's not the fault of the sports car - like it is not the fault of C++. Stop putting C++ in the hands of beginners. Problem solved.