Note: I updated the view counts for the videos mentioned. These are current as of 12/9/18.
A friend of mine sent me slack message asking for my opinion of an article he saw on Reddit. In a nutshell, the author makes the case the C, C++, and by extension, Modern C++ are dying languages and that they’re dying because they’re unsafe languages. Like COBOL, the author says, they are a dying breed and destined to be consigned to the scrap heap of programming languages in favor of “safe” languages (my paraphrase of his thesis).
You can read the full article here: C and C++ are dead like COBOL in 2017.
To start with, the comparison between COBOL and C++ is a bad one. C++ is a general purpose, Turing complete programming language and COBOL is not. They live in completely different domains and solve completely different problems sets so any comparison in usage characteristics falls apart rather quickly.
But in general, yes, I agree with his basic premise that the use of C, C++ and Modern C++ is declining in an ever expanding universe of languages but not for the reasons the author subscribes.
I think lassitude is a more reasonable explanation. With complexity as an accomplice.
In the article, the author says, “However, I realize that security, while of vital importance to me, is of relatively little concern for most software developers.” He then goes on to argue that the decline of C++ is because it’s an unsafe language. Both arguments are in conflict with one another and cannot be true at the same time.
The decline of C++ is, I think, not because of security. It is true that most developers generally don’t concern themselves with security. But that also means that they’re not going to walk away from C++ for those reasons. You can see the evidence of this on YouTube. Both of my talks on secure coding in C++ at CppCon 2018 got just over 7K views combined.
The talk on nano-coroutines, 16K views.
Embedded (where C++ gets little vendor support), 7K views.
Metaclasses, 33K views.
Modern C++ Design, 16K views.
Part of it can be explained by me being an relatively unknown speaker compared to the speakers who gave the other talks. But, largely, I think software security is not a particularly compelling topic. Ask yourself how many security talks have there been at C++Now or CppCon in the past 5 years by well-known speakers? A hand full, maybe.
Compare that to the number of talks on: Template Meta programming, Concepts, Co-routines or Data Structures. A dozen or more on each I would expect.
Developers don’t care about the security of Modern C++.
But they should and I’ll make the case as to why further down in this post.
Instead, what they care about is how easy C++ is to use and the cool things they can do with it. The reason for the decline of C++ is that it’s a hard language to master. And, we’re making the problem worse as we add more and more stuff to the standard that increases complexity but has specious value at best. That makes the jobs of everyday developers harder, not easier..
I had an interesting conversation with Bjarne at CppCon this year and he makes an excellent point about having language standards that are top heavy and overloaded with dingle-balls for experts (my words, not his).
From his paper, Remember the Vasa!:
Basically, we’re lazy as a species and we’ll surrender control for comfort.
Is C++ a safe language?
Unsurprisingly, I get this question a lot including several times at CppCon this year in my security talks and again in the software security panel discussion. My answer is, yes – if you know what you’re doing. The problem is that most of us don’t and each new release of the standard makes that problem worse.
If we want to keep C++ from becoming a niche language for experts, we’ll have to address its complexity and how we use it. In the same way that energy in a structure under stress migrates to the weakest points, vulnerabilities migrate to the areas of greatest complexity.
C++, and by extension Modern C++, is a well defined language and I have nearly thirty years of experience with it. I also have a security background using it. That makes it a “safe” language for me because I know what I’m doing. But, even I find it challenging to keep up with the undefined behavior in the standard and, not being a language lawyer or compiler designer, even I have a hard time just decoding the standard itself.
What will make Modern C++ a “safer” language is when we stop increasing its surface complexity. And by the way, that’s when more developers will come back to Modern C++ because its power and flexibility are unrivaled in the history of computer science.
And what about C++ developers not caring about security?
That’s beginning to change. As the financial body count from breaches rises and as more heterogeneous, unrelated systems become incidentally interconnected via the internet (think jets, autonomous vehicles and power plants), the visibility of software security is beginning to rise. This year at CppCon, for example, there were seven talks and two panels related to software security accounting for almost 40,000 views on YouTube.
And secure software should come to the forefront. The same principles that make code safer also make it simpler, easier to reason about and more maintainable.
Not bad for a dying language that turns 60 next year.