Eliminating Memory Safety Vulnerabilities at the Source
(Google Security Blog)
Here's <a href="https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html" rel="nofollow">a
post on the Google Security Blog</a> on how switching to a memory-safe
language can quickly reduce vulnerabilities in a project, even if a large
body of older code persists.
This leads to two important takeaways:
The problem is overwhelmingly with new code, necessitating a
fundamental change in how we develop code.
Code matures and gets safer with time, exponentially, making the
returns on investments like rewrites diminish over time as code gets
older.
For example, based on the average vulnerability lifetimes, 5-year-old code
has a 3.4x (using lifetimes from the study) to 7.4x (using lifetimes
observed in Android and Chromium) lower vulnerability density than new
code.
https://lwn.net/Articles/991775/