Google has unveiled compelling data highlighting the efficacy of its “Safe Coding” approach in reducing memory safety vulnerabilities.
The tech giant’s strategy, which prioritises the use of memory-safe programming languages for new code development, has yielded impressive results. Most notably, Android has seen a sharp decline in memory safety vulnerabilities, plummeting from 76% of all vulnerabilities in 2019 to just 24% in 2024.
This reduction is particularly significant given that the industry norm for memory safety issues hovers around 70%. Google’s success in this arena offers a beacon of hope for developers grappling with similar security challenges.
The crux of Google’s approach lies in a counterintuitive insight: focusing on safe coding practices for new code can swiftly reduce the overall security risk of a codebase, even as the volume of memory-unsafe code continues to grow.
Google’s analysis reveals that vulnerabilities decay exponentially over time, with a pronounced half-life.
“A large-scale study of vulnerability lifetimes published in 2022 in Usenix Security confirmed this phenomenon. Researchers found that the vast majority of vulnerabilities reside in new or recently modified code,” the company notes.
This finding underscores two critical points for developers:
- The bulk of the problem lies in new code, necessitating a fundamental shift in development practices.
- Code matures and becomes safer over time, exponentially, diminishing the returns on investments like complete rewrites.
Google’s data suggests that 5-year-old code has a 3.4x to 7.4x lower vulnerability density than new code, depending on the specific context.
The tech behemoth is not advocating for a wholesale rewrite of existing memory-unsafe code. Instead, it emphasises the importance of interoperability between memory-safe and memory-unsafe languages. This approach allows organisations to leverage existing investments while accelerating the development of new, safer features.
To support this strategy, Google has provided a £790,000 grant to the Rust Foundation and developed interoperability tools like Crubit and autocxx.
As the industry shifts towards Safe Coding, Google anticipates a decreased reliance on traditional exploit mitigations and proactive detection methods like fuzzing. However, these techniques are expected to become more targeted and effective when applied to smaller, well-encapsulated code snippets.
For software developers, Google’s findings offer a clear directive: prioritising memory-safe languages for new development can yield significant security benefits—even in large existing systems. By “turning off the tap” of new vulnerabilities, developers can leverage the natural decay of existing issues to enhance overall system security.
As the software industry continues to grapple with security challenges, Google’s Safe Coding strategy presents a promising path forward, offering a scalable and sustainable approach to building high-assurance software.
(Photo by Arthur Osipyan)
See also: General app stability improves as crash-free sessions near 100%
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.