The responsibility is on our ecosystem, not the developer
Securing software has historically been the responsibility of developers, with the expectation they understand and follow complex secure-coding guidelines. It’s no wonder so many incidents start with an error when developing and deploying systems: failure to consider a security threat during the design of a system, introduction of a coding error during development that results in a vulnerability, or a configuration change that exposes a deployed system to attack.
We believe that a Secure-by-Design approach applied to developer ecosystems is one of the most effective ways to achieve high assurance levels of safety and security. A developer ecosystem designed for safety and security ensures security invariants for applications, and prevents entire classes of vulnerabilities, providing assurance at scale. It’s why Google is investing to further expand use of memory safe languages to address the risk of developers accidently introducing these kinds of vulnerabilities, putting that responsibility on the language itself. We are also investing in building out the external memory-safe ecosystem, through a $1,000,000 grant to the Rust foundation, and funding efforts to bring Rust to the Linux Kernel.
To make products more secure as soon as they reach users’ hands means focusing upstream on our software development — perfecting safe coding, deployment and guidance. At Google, we will continue to engage deeply, share our experience, and partner to advance new frameworks, best practices and guidance to secure the digital domain for everyone.