Improving code quality has become as, if not the, most important aspect of software. Bugs and security holes are exposing attack surfaces for personal data theft, infiltration, and ransomware. Google has been trying a number of approaches to improve things, and now they released a report on the effect of replacing memory unsafe languages with memory-safe languages.

Their approach stems from a number of somewhat obvious, but powerful observations. Memory vulnerabilities in a block of code decay quickly as it is tested in live conditions. In fact, they disappear exponentially with time as bugs are found and fixed. Therefore, the time when code is most likely to have the most memory safety issues is in brand new code.

It makes sense. As bugs are fixed, code becomes more and more bug-free (which is one of the big fallacies of the ‘lets scrap it and re-write all this messy code’ approaches). This also means that replacing old code with memory-safe languages actually doesn’t give you the best ROI. Instead, a team should focus on making sure the NEW code they add is in a memory-safe language to reduce the maximum amount of issues in the least amount of development time.

Google proved this out in their Android stack. By leaving the old code alone (just fixing bugs), they focused on just ensuring all NEW code was in a memory-safe language. This simple approach gave them a huge improvement in the number of memory vulnerabilities encountered each year:

Definitely worth a read

Articles:

• https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html