This is the government's strongest stance yet on software security, which puts manufacturers on notice: fix dangerous coding practices or risk being labeled as negligent.
  • sp3ctr4l@lemmy.zip
    444·
    14 days ago

    … Are the Feds aware that the core systems that many, many older companies (and government agencies) use are still based on COBOL?

    Is… is that not of any concern?

    • aubeynarf@lemmynsfw.com
      16·
      14 days ago

      Is COBOL subject to buffer overflows and use-after-free bugs? I honestly don’t know.

      I don’t recall the COBOL code I’ve read using pointers.

      • sp3ctr4l@lemmy.zip
        7·
        14 days ago

        The problem I am aware of is moreso that the number of programmers that know COBOL is vanishingly small, it … COBOL does not seem to really be taught anymore…

        …so if something goes wrong at that level, you may be SOL if you cannot find an increasingly rare programmer that knows COBOL well.

  • wewbull@feddit.ukEnglish
    4620·
    14 days ago

    That sounds like policy written by somebody who has no idea what the reality of software development is.

    1 year to rewrite critical software in a new language?

    • nous@programming.devEnglish
      582·
      14 days ago

      Did you read the article at all?

      “Putting all new code aside, fortunately, neither this document nor the U.S. government is calling for an immediate migration from C/C++ to Rust — as but one example,” he said. “CISA’s Secure by Design document recognizes that software maintainers simply cannot migrate their code bases en masse like that.”

      Companies have until January 1, 2026, to create memory safety roadmaps.

      All they are asking for by that date is a roadmap for dealing with memory safety issues, not rewrite everything.

  • mox@lemmy.sdf.org
    19·
    14 days ago

    Don’t assume too much from the headline, folks. They’re not saying everything has to be rewritten by 2026. They’re saying new product lines serving critical infrastructure should be written in memory-safe languages, and existing ones should have a memory safety roadmap.

    If you’re about to post about how you think that’s unreasonable, I think you should explain why.

  • Primer - Zip@lemmy.zipEnglish
    1·
    14 days ago

    Just from reading the article, is the scope just critical software infrastructure? What does that encompass exactly? Banking and military software seems easy to assume - what about embedded medical device software? Or just embedded software in general?