Authored by a group of security and research leaders at Google, including Alex Rebert, Ben Laurie, Murali Vijayaraghavan, and Alex Richardson, the blog post highlights how decades of reactive security measures such as code audits and fuzzing have failed to curb memory-related bugs, which continue to threaten personal privacy, business resilience, and national security.

A Shift Toward Secure-by-Design Principles

Google is advocating for a shift in mindset—from reactive fixes to proactive design. This shift builds upon a broader push for secure-by-design development, emphasizing memory-safe languages such as Rust, Kotlin, and safe subsets of C++ like Safe Buffers. These languages have already shown measurable reductions in vulnerabilities. For instance, Android's use of Kotlin and Rust has significantly improved memory safety in new codebases.

Standardization

The company is not acting alone. Backed by academic and industry collaboration, Google supports a proposal to standardize memory safety practices through a flexible, technology-neutral framework. This would enable:

• Innovation across tools and platforms by avoiding prescriptive tech mandates.

• Tiered safety levels similar to SLSA, allowing tailored requirements for diverse systems.

• Objective measurement of memory safety, akin to energy efficiency ratings.

• Practical implementation guides, helping teams use unsafe code safely when necessary.

The goal is to foster an environment where vendors are incentivized to prioritize security, and customers—from enterprise buyers to end users—can make informed decisions based on verified safety metrics.

Hardware Is Part of the Solution

Emerging hardware technologies also play a role in Google's vision. Tools like ARM’s Memory Tagging Extension (MTE) and the CHERI architecture are being explored as complementary solutions to software-based protections, especially for legacy codebases.

Google’s Commitment

Internally, Google is continuing to invest in memory-safe languages and is modernizing existing codebases through hardened standard libraries and enhanced development practices. Their long-term approach emphasizes measurable progress without locking into specific technologies prematurely.

“This effort isn't about picking winners,” the blog emphasizes. “It’s about enabling a future where developers, businesses, and governments can all make informed, confident decisions to secure their software systems.”

The Path Forward

Google is calling on the broader tech community—developers, tool vendors, regulators, and researchers—to join the movement. With global collaboration and a unified vision, the industry can build a future where memory safety is not an afterthought, but a foundational standard.

Read the full post on the Google Security Blog.