Skip to main content
close search
site logo
Dive Brief

For Google to reduce memory-safety defects, it focused on new code

Google’s experience provides software developers a roadmap to address one of the most persistent security problems: memory-safety CVEs.

Published Sept. 26, 2024
Matt Kapko's headshot
Senior Reporter
Man studying see-through display depicting computer code.
Laurence Dutton via Getty Images

Dive Brief:

  • Google lowered the percentage of memory-safety vulnerabilities in Android from 76% to 24% over the last six years by gradually shifting development to memory-safe languages for new features, the company said in a Wednesday blog post.
  • Instead of focusing on existing code, Android developers decreased memory-safety vulnerabilities by prioritizing the use of memory-safe languages in new code beginning in 2019. Over the six-year period, the total lines of memory-safe code in Android grew at a much faster rate while the total amount of new memory-safety vulnerabilities declined in kind, according to Google.
  • Despite the majority of Android code still being unsafe, Google said it achieved a “seemingly counterintuitive result” by transitioning all new development to memory-safe languages.

Dive Insight:

Google’s results, notably its decision to leave existing code mostly untouched except for vulnerability patches, provides software developers a roadmap to address one of the most persistent security problems: memory-safety CVEs.

The Cybersecurity and Infrastructure Security Agency and other federal cyber authorities consistently point to memory-unsafe languages as contributing to some of the worst vulnerability crises.

Earlier this year, the White House Office of the National Cyber Director called on the technology industry to widely adopt memory-safe languages in their products.

Officials contend software vendors can make a significant dent in the number of vulnerabilities they introduce by shifting to memory-safe languages.

CISA previously said “two-thirds of vulnerabilities in memory-unsafe languages are caused by memory-safety vulnerabilities.”

More than half of critical open-source projects are written in memory-unsafe languages, the FBI and CISA said in a June report.

“The problem is overwhelmingly with new code, necessitating a fundamental change in how we develop code,” Google said in the blog post. “Code matures and gets safer with time, exponentially, making the returns on investments like rewrites diminish over time as code gets older.”

Filed Under: Strategy

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell