As has been pointed out repeatedly whenever this statistic is brought up in discussion, that figure is not indicative of much.
And in discussions like this, it's verging on the dishonest - leading with a large number makes readers think that a large difference to bug count will result.
> Around 70 percent of all the vulnerabilities in Microsoft products addressed through a security update each year are memory safety issues; a Microsoft engineer revealed last week at a security conference.
What's the total bug count?
A codebase with 10000 bugs logged against it might have maybe 10[1] that are CVEs, of which, according to that statistic, only 7 would be fixed by moving to a safer language (either GC or Rust or similar).
That's just not enough motivation for switching when the payoff for preventing "70% of CVEs" is so small it may never even happen.
[1] I've worked on C codebases that were developed over a decade, and 1000:1 of all-bugs:memory-safety-bugs is a very conservative ratio. IME, it's been closer to 10000:1.
>Mark Russinovich, the chief technology officer of Microsoft Azure, says developers should avoid using C or C++ programming languages in new projects and instead use Rust because of security and reliability concerns.
And in discussions like this, it's verging on the dishonest - leading with a large number makes readers think that a large difference to bug count will result.
> Around 70 percent of all the vulnerabilities in Microsoft products addressed through a security update each year are memory safety issues; a Microsoft engineer revealed last week at a security conference.
What's the total bug count?
A codebase with 10000 bugs logged against it might have maybe 10[1] that are CVEs, of which, according to that statistic, only 7 would be fixed by moving to a safer language (either GC or Rust or similar).
That's just not enough motivation for switching when the payoff for preventing "70% of CVEs" is so small it may never even happen.
[1] I've worked on C codebases that were developed over a decade, and 1000:1 of all-bugs:memory-safety-bugs is a very conservative ratio. IME, it's been closer to 10000:1.