Source URL: https://www.theregister.com/2024/09/25/google_rust_safe_code_android/
Source: The Register
Title: Google’s Rust belts bugs out of Android, helps kill off substantial unsafe code
Feedly Summary: Memory safety flaws used to represent 76% of ‘droid security holes. Now they account for 24%
Google’s effort to prioritize memory-safe software development over the past six years has substantially reduced the number of memory safety vulnerabilities in its Android operating system.…
AI Summary and Description: Yes
**Summary:** Google’s initiative to enhance memory safety in software development has drastically reduced memory safety vulnerabilities within the Android operating system. By implementing Safe Coding practices, which prioritize memory-safe programming languages and techniques, the company has significantly lowered its vulnerability rates, reflecting a broader industry trend towards safer code.
**Detailed Description:**
Google’s recent report details its successful multi-year effort to improve memory safety within its Android operating system through the following key initiatives:
– **Reduction in Vulnerabilities:**
– The percentage of memory safety-related vulnerabilities has dropped from 76% in 2019 to an anticipated 24% by the end of 2024.
– This reduction is significantly below the industry average, which stands at around 70%.
– **Adoption of Safe Coding Practices:**
– Safe Coding emphasizes the use of memory-safe programming languages such as Rust, C#, Go, Java, Python, and Swift.
– Techniques like static analysis and API design have also been crucial components of this approach.
– The shift to Safe Coding allows more robust assertions about code properties, improving predictability and reducing dependency on mitigation strategies.
– **Impact on Development Metrics:**
– The rollout of Rust has yielded notable improvements, including a rollback rate of changes in Rust being less than half that of C++.
– The emphasis on preemptively identifying bugs (shifting bug detecting ‘left’) has enhanced overall code correctness and developer output.
– **Addressing Legacy Code:**
– There is no need for a wholesale rewrite of existing unsafe legacy code; the document points out that vulnerabilities naturally decay over time as code evolves.
– The lifecycle of vulnerabilities means older code tends to exhibit a significantly lower vulnerability density.
– **Strategic Advantage Through Safe Coding:**
– By prioritizing memory-safe coding in new projects while allowing legacy code to coexist, organizations can effectively lower overall risk without extensive refactoring.
– This approach leverages the natural decay of vulnerabilities, improving security across existing systems while allowing for scalable, targeted strategies in remediation.
– **Paradigm Shift:**
– The concept is centered around stopping the introduction of new vulnerabilities as a way to enhance overall safety.
– By halting the increase of new vulnerabilities, the existing codes become inherently safer, leading to a proactive and sustainable security model.
This information presents significant implications for security professionals, particularly as it highlights a robust methodology for enhancing software security through memory safety practices. The trend towards using languages designed to minimize vulnerabilities not only improves the security landscape but also aligns with best practices in software engineering and development, making this a pivotal insight for those in the security and compliance domains.