Post Syndicated from corbet original https://lwn.net/Articles/991775/

Here’s a
post on the Google Security Blog on how switching to a memory-safe
language can quickly reduce vulnerabilities in a project, even if a large
body of older code persists.

This leads to two important takeaways:

• The problem is overwhelmingly with new code, necessitating a
  fundamental change in how we develop code.

• Code matures and gets safer with time, exponentially, making the
  returns on investments like rewrites diminish over time as code gets
  older.

For example, based on the average vulnerability lifetimes, 5-year-old code
has a 3.4x (using lifetimes from the study) to 7.4x (using lifetimes
observed in Android and Chromium) lower vulnerability density than new
code.