A few days ago, the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued a stark warning: Critical software must move away from memory-unsafe languages like C and C++ by January 2026 or face significant security risks.
Memory safety vulnerabilities account for approximately 70% of security vulnerabilities in software systems today. These issues arise from the manual memory management required in languages like C and C++, where programmer mistakes can lead to buffer overflows and other critical security flaws that attackers can exploit to take control of systems.
CISA said that for new product lines meant for critical infrastructure or national functions, using memory-unsafe languages is deemed “dangerous and significantly elevates risk to national security”. By January 2026, organisations must either have a clear memory-safety roadmap or transition to memory-safe alternatives.
The White House had suggested the same, saying experts have identified a few programming languages that both lack traits associated with memory safety and also have high proliferation across critical systems, such as C and C++, and if possible, should be avoided.
Is it a Good Idea?
When AIM asked about replacing C/C++ with modern-day programming languages like Rust, Aleksa Gordić,ex research engineer at DeepMind and founder of Runa AI, said that C/C++ power everything.
There is an enormous amount of legacy code out there that has been written over the past decades. For reference, C was created in 1972 by Dennis Ritchie, and C++ in 1979 by Bjarne Stroustrup. Most microcontrollers in existence today, powering everything from toasters and refrigerators to keyboards, aeroplanes, and cars, all run on C.
Many companies have built their entire tech stacks in these languages and are transitioning to a new language/stack. Even if it is strictly better along every single dimension, it is prohibitive from a cost perspective ($, dev time, etc.).
On the flip side, similar to biological systems, evolutionary pressures are at play here, with newer languages branched off from older ones occasionally proving to be better.
Aleksa gave the example of Rust, which was created in 2006. Its creator, Graydon Hoare, had the advantage of learning from the strengths and weaknesses of previous generations of languages. This is clearly an advantage that newer languages enjoy.
“But, just to be clear, strictly better language design is often not enough. Languages are often more about the communities built around them than having a ‘superior design’. The majority of programmers still need to use the language and build libraries, projects, and Q&A forums around it,” he added.
One of the primary concerns among developers is the question of interoperability. As a developer pointed out on Reddit, “C is the bridge between languages – just about every language has a CFFI, and that usually comes free with the language. If we replace C code, how will these languages communicate with each other?”
Even if we consider the performance part of C++, the opinions are mostly positive. C++ developers, when highly skilled, often get paid hefty salaries. These are not your typical developers, but those that often deal with complex tasks, including quantitative trading and robotics systems.
Apart from handling complex operations, other benefits include extreme performance (less than 1ms response times), very low server footprint, and accomplishing features otherwise dismissed as “not possible at scale”.
But the most important question here is what happens to the legacy systems? On a higher level, you have two options: either rewrite software from scratch using the new programming language or write a wrapper around the legacy code using the proposed programming language. The problem is that both require a lot of time, effort, and debugging.
And then, of course, there’s the money side of things. A Reddit user mentioned that if the US government wants its developers to adopt the latest and greatest languages that are in high demand in Silicon Valley, they’ll have to pay developers more than the GS schedule.
“The highest-paid US gov grade 15 step 10 engineer makes less than our lowest paid engineer,” he added, suggesting that the US government might need to reform their salary structure to facilitate the ecosystem of modern programming languages.
Contrary to this, when AIM spoke to Pratham Patel, a developer at Rocky Enterprise Software Foundation, he said that replacing C/C++ isn’t the “be all and end all” solution, but it is a good solution nonetheless. There are very few languages that are memory-safe and are without runtime.
Python, Java, and JavaScript are memory-safe languages but require the CPython interpreter, JVM and V8 respectively. “C, C++, Rust and Zig are languages which do not need runtimes. The last two [Rust and Zig] enforce as much memory safety as possible,” he added, suggesting that C/C++ can be replaced with languages like Rust and Zig due to their memory safety features.
Patel later mentioned that these legacy systems remain in use because they generate revenue for both the businesses that rely on them and the IT companies that maintain them through expensive support contracts.
However, these systems inevitably reach a point where the original code becomes incomprehensible to current developers, creating a technical debt crisis.
The COBOL Effect
The idea of moving away from something like C/C++ is a nightmare for programmers, especially since it’s used in almost everything. Sure, if you consider high-level programming, you might not be able to see the relevance, but as soon as you dig deeper, you will realise that from motherboards to operating systems, C/C++ is an integral part of modern computers.
Take COBOL, for instance. Everyone believed it was dead until the New Jersey government started looking for COBOL developers in 2020 since it still powers a majority of their banking systems.
A balanced approach is what Linux is going with. While Linux was built on top of C, in recent years, it is being integrated into the Linux kernel as a second language. This way, we can slowly move away from languages like C and utilise modern-day languages like Rust while not completely abandoning them.
The post Can Legacy Systems Transition Away from C/C++? appeared first on Analytics India Magazine.