The GCP agent similarly does not listen to the network.
Both the Google and AWS agents are written in Go, too, so they're unlikely to have the classic C/C++ errors, more likely to use libraries rather than reinventing the wheel, and using a higher-level language often makes the logic easier to understand. Neither of those are foolproof or prevent logic errors, of course, but I would still expect a lower bug density all other things being equal.
I love programming in go, but I disagree with this point. The golang library ecosystem is absolutely less mature compared to C++.
Rust and Go are a pleasure to write in, but they don’t magically fix every problem and frequently CREATE problems because they’re still under development. In this case, the missing auth header vuln has nothing to do with the underlying language.
Two things here :
- This vulnerability is a logic error (no header => root), not a buffer overflow. It could have happen in any language.
- C and C++ don't play in the same band anymore. Most security vulnerabilities affecting C generally do not affect C++ (no stack based string handling, no VLA, no void* everywhere, proper RAII, proper type safety)
And yes for developing a minimum-memory-footprint system daemon in 2021, I would use C++ or Rust but definitively not C.