Safe by default
August 18, 2015  

I’ve been writing a series of posts on why we should deprecate unsafe languages like C/C++ in favor of memory safe languages (here, here, here, here, here, here, here, here).

I’m mainly addressing the security community with these posts, and not the programming community in general. The reason to sunset C/C++ is for security, so I think my community ought to have an opinion on this. I think the evidence is overwhelmingly in favor of making safe languages the default choice for new projects, and I wonder whether we’re now at a point where we can get to a consensus on this. If security experts can’t agree, there is little hope of convincing others.

I know that many in the security community agree with me, even if they do not make a point of it. I was greatly encouraged to hear Alex Stamos’ opening remarks at the Yahoo Trust Unconference where he calls for us to stop using unsafe languages (just after the 10:00 mark). However, I think there’s also a sizable macho/arrogant part of the world, including the security world, that thinks that they can write large C/C++ programs without buffer overflows. These people should defend their views.

The kind of consensus I’m looking for is hard to achieve. I think encryption is a useful comparison. At a security conference in 2009, I called for us to start using encryption. Some in the audience were baffled (Dan Boneh asked, “What about SSL?!”), but others, who worked for companies running big webmail systems, were red-faced. The reality is, we were not using encryption very much back then, and certainly not as much as we ought to have been. The view that encryption was too slow/not needed was widespread (much like the view that safe languages are too slow/not needed is widespread today). The top security people were not able to convince their companies to deploy a security technology that was pretty well established, dating back to the mid 1970s.

Since then, we have had the Snowden revelations and much more. There has also been a huge undertaking to make encryption faster and to improve certificate authorities. There are still many problems and obstacles (cf. this), but unlike 2009, when the best security experts were not able to get their companies to encrypt email, today most security experts recommend encryption by default, and their companies are listening to them.

I’m hoping that we can move safe languages forward along the same path. To make that happen, we need the security community as a whole to start recommending safe languages by default.