this post was submitted on 17 Nov 2025
25 points (96.3% liked)

Programming

23517 readers
271 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
UlrikHD@programming.dev
25
A Practical Guide to Transitioning to Memory-Safe Languages - Turning off the spigot of vulnerabilities: a new strategy for memory safety (queue.acm.org)
submitted 3 days ago* (last edited 3 days ago) by HaraldvonBlauzahn@feddit.org to c/programming@programming.dev
0 comments fedilink hide all child comments
 

Fortunately, data demonstrates that making a better choice does not require daunting multiyear rewrites of existing codebases. Security can be dramatically improved by incrementally shifting the development of just new code to memory-safe languages. If these vulnerabilities can be avoided with low impact on other development goals, then choosing to introduce new ones should increasingly be considered unacceptable, and our goal should be for vulnerabilities to become increasingly impossible to introduce.

[...] This leads to a counterintuitive insight that defies some popular anecdotes: The most vulnerable code in your project is not some dusty legacy component, but the code being written today. This is because, like most bugs, vulnerabilities have a half life. The longer code exists and is exercised, the more likely its flaws are to be found and fixed, leaving the freshest code with the highest concentration of bugs.

[....]

Beyond stability, there have also been gains in development velocity. Change lead time, the time it takes for a code commit to be successfully deployed, is a critical measure of efficiency. One of the largest factors in this metric is often code-review latency. Our data shows a fascinating trend: As our developer community has gained experience with Rust, the time required for code reviews has decreased (see figure 4b). Rust changes tend to go through fewer revisions and spend less time in the review cycle, with an approximately two times faster median code review in 2024 compared with C++.

[...]

These positive outcomes demonstrate that choosing a memory-safe language is not about making a tradeoff between security and productivity. We are not sacrificing quality for velocity or productivity for security. We are improving across all of these metrics simultaneously. The results were achieved while reducing costs associated with sandboxing, fuzzing, and the engineering hours spent triaging and patching bugs. Using a better tool allows for fewer tradeoffs, resulting in better software and, ultimately, a better product.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here