Oddbean

Eliminating Memory Safety Vulnerabilities at the Source (Google Security Blog) Here's <a href="https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html" rel="nofollow">a post on the Google Security Blog</a> on how switching to a memory-safe language can quickly reduce vulnerabilities in a project, even if a large body of older code persists. This leads to two important takeaways: The problem is overwhelmingly with new code, necessitating a fundamental change in how we develop code. Code matures and gets safer with time, exponentially, making the returns on investments like rewrites diminish over time as code gets older. For example, based on the average vulnerability lifetimes, 5-year-old code has a 3.4x (using lifetimes from the study) to 7.4x (using lifetimes observed in Android and Chromium) lower vulnerability density than new code. https://lwn.net/Articles/991775/