Memory safety vulnerabilities pose a significant challenge to software security, and Google is actively addressing this issue through a strategy known as Safe Coding. This approach emphasizes the transition to memory-safe programming languages as a means to reduce vulnerabilities at their source. The blog post, authored by Jeff Vander Stoep and Alex Rebert, outlines the rationale behind this strategy and presents data demonstrating its effectiveness, particularly in the context of Android development. The authors highlight that focusing on Safe Coding for new code can lead to a surprising reduction in overall security risks, even as the amount of memory-unsafe code increases. This counterintuitive outcome is attributed to the nature of vulnerabilities, which tend to decay over time. Research indicates that most vulnerabilities are found in new or recently modified code, suggesting that by prioritizing memory-safe languages for new features, the overall density of vulnerabilities can decrease significantly. The blog provides a detailed analysis of the transition that the Android team began around 2019, driven by the rising costs and complexities associated with managing memory safety vulnerabilities. Over a six-year period, the percentage of memory safety vulnerabilities in Android dropped from 76% to 24%, a notable improvement that aligns with the shift towards memory-safe languages. The authors discuss the evolution of strategies to combat memory safety vulnerabilities, categorizing them into four generations. The first generation focused on reactive patching, which proved costly and insufficient. The second generation involved proactive mitigations, which raised the cost of exploitation but also imposed performance overhead. The third generation emphasized proactive vulnerability discovery through tools like sanitizers and fuzzing, yet these methods often addressed symptoms rather than root causes. The fourth generation, which Google is now pursuing, centers on high-assurance prevention through Safe Coding. This approach integrates security directly into the development process, leveraging language features and static analysis to create a secure-by-design ecosystem. By establishing a baseline of security through memory-safe languages, the goal is to reduce vulnerability density and improve overall software quality. The blog also emphasizes the importance of interoperability between memory-safe and memory-unsafe languages, allowing for a gradual transition without the need to rewrite existing code. Google has invested in tools and initiatives to facilitate this interoperability, such as grants to the Rust Foundation and the development of interoperability tooling. As Safe Coding continues to reduce risks, the authors anticipate a shift in the reliance on traditional mitigations and detection methods. They expect that as more code transitions to memory-safe languages, the need for exploit mitigations will decrease, leading to more efficient software. Additionally, proactive detection methods like fuzzing may become more effective as they can be applied to smaller, well-encapsulated code segments. In conclusion, the blog post underscores the importance of adopting Safe Coding practices to combat memory safety vulnerabilities effectively. By focusing on prevention and leveraging the natural decay of vulnerabilities, Google aims to enhance the security of its software products, particularly within the Android ecosystem. The commitment to secure-by-design principles is expected to yield long-term benefits in reducing vulnerabilities and improving overall software safety.

Google has published a whitepaper that outlines its "Secure by Design" approach, which advocates for the adoption of languages like Java, Go, and Rust to achieve high-assurance memory safety. Google has a massive C++ codebase. It will gradually adopt memory-safe languages for new code while seeking safety improvements for existing C++.

Memory safety vulnerabilities pose a significant challenge to software security, and Google is actively addressing this issue through a strategy known as Safe Coding. This approach emphasizes the transition to memory-safe programming languages as a means to reduce vulnerabilities at their source. The belief is that by focusing on Safe Coding for new code, the overall security risk of a codebase can be significantly diminished, leading to a notable decline in memory safety vulnerabilities. The blog post highlights a remarkable statistic: the percentage of memory safety vulnerabilities in Android has decreased from 76% to 24% over a six-year period, coinciding with a shift towards memory-safe languages. This transition is not just a theoretical exercise; it has practical implications that can be observed in the Android codebase. A key insight shared is the counterintuitive nature of the results. As new development increasingly incorporates memory-safe languages, the overall number of memory safety vulnerabilities declines, even as the amount of memory-unsafe code grows. This phenomenon can be explained by the concept of vulnerability decay, where vulnerabilities tend to reside in newer or recently modified code. As older code matures, it becomes less prone to vulnerabilities, leading to an overall reduction in risk. The Android team began prioritizing memory-safe languages around 2019, driven by the rising costs and complexities associated with managing memory safety vulnerabilities. The results have been promising, with a continued decline in memory safety vulnerabilities observed in 2024. This decline is attributed to the correlation between the programming languages used for new code and the prevalence of memory safety issues. The blog also outlines the evolution of strategies to combat memory safety vulnerabilities over the years. The first generation focused on reactive patching, which proved costly and insufficient. The second generation introduced proactive mitigations, but these often came with performance overhead and did not fully address the root causes. The third generation emphasized proactive vulnerability discovery, yet still fell short of providing high assurance. The fourth generation, which Google is now embracing, is centered around high-assurance prevention through Safe Coding. This approach integrates security directly into the development process, allowing for continuous assurance and reducing the likelihood of introducing vulnerabilities. By leveraging memory-safe languages and focusing on secure-by-design practices, Google aims to break the cycle of constant vulnerability management and instead foster a more secure development environment. Interoperability is highlighted as a crucial aspect of this transition. Rather than discarding existing memory-unsafe code, Google is working on making interoperability between memory-safe and unsafe languages seamless. This strategy allows for incremental improvements while capitalizing on existing code investments. As Safe Coding continues to reduce risks, the reliance on previous generations of security measures is expected to diminish. The focus will shift towards more selective use of mitigations and enhanced effectiveness of proactive detection methods. In conclusion, the adoption of Safe Coding represents a paradigm shift in how software security is approached. By prioritizing memory-safe languages and integrating security into the development lifecycle, Google is not only addressing current vulnerabilities but also setting a foundation for a more secure future in software development. The ongoing efforts and results from the Android team serve as a testament to the effectiveness of this strategy, with further insights and developments anticipated in the coming months.

Google has integrated AI into its internal software development tools, with developers now using AI-based code completion for 50% of code characters. It has improved both model accuracy and user experience, and the company plans to further leverage AI in areas like testing, code understanding, and code maintenance. The industry as a whole is moving towards adding natural language as a common interface for software engineering tasks, like fixing bugs and writing new code.

Google held an event called “LLM bugSWAT” where people uncovered vulnerabilities in Google's systems. The authors of this article found significant security flaws, including an Insecure Direct Object Reference in Google's Bard and a Denial of Service vulnerability through Directive Overloading in Google's Cloud Console. They used Gemini Extensions to exfiltrate sensitive personal information by cleverly bypassing the Content Security Policy, a feat that rewarded them with a $50,000 reward.

Google has announced confidential matching, a privacy-first tool that uses Trusted Execution Environments (TEEs) to secure first-party data for audience targeting and campaign measurement. The solution ensures that sensitive business data is isolated and protected, even from Google, during processing. It is now the default for Customer Match in Google Ads as part of Google's broader privacy initiatives.

Prabhakar Raghavan, senior vice president at Google, recently addressed staff in Google's knowledge and information organization about upcoming changes to how the company will operate. Growth for Google is getting harder, so the company needs to react and move faster. The company is shortening the amount of time some teams have to complete certain projects, despite having fewer resources after cost cuts, in an effort to move faster. It plans to build teams closer to users in key markets, including India and Brazil.

Leaked Google documents have surfaced, revealing valuable insights into the company's search algorithms. These documents emphasize the importance of using nofollow links consistently and maintaining high content quality, particularly in categories like Travel. While the authenticity of these documents has not yet been confirmed, they seem to validate long-held SEO strategies and practices.

Google's March 2024 core update is designed to improve the quality of Search by showing less content that feels like it was made to attract clicks and more content that people find useful. Google also announced 3 new spam policies to address expired domain abuse, scaled content abuse, and site reputation abuse. Both the core update and the spam update launched on March 5th and will take 2-4 weeks to fully roll out.

Google has announced several upcoming enhancements to Google Analytics 4 (GA4) designed to help companies improve measurement and ultimately make better business decisions. AI-generated insights will provide clear, concise summaries that explain fluctuations in GA4 data in plain language. Users will be able to import advertising data from Pinterest, Reddit, and Snap directly into the tool. Cross-channel budgeting will allow marketers to track media pacing and projected performance against a target objective, like revenue, across channels. Google will also begin rolling out support for some of the Chrome Privacy Sandbox APIs to help brands reach audiences and measure effectively without third-party cookies.

Google has delayed its plans to phase out third-party cookies in Chrome, citing the need for more time due to industry and regulatory pressure. Despite assurances that it wouldn't backtrack on its timeline, Google did not announce a new date, but mentioned it would not meet its target of deprecating cookies during the second half of Q4 this year.

In 2012, Google embarked on a project to reformat all Bazel BUILD files, which was tough because of inconsistent formatting and a variety of developer preferences. A new tool called Buildifier, which strictly enforced a unified style, was developed to automate this process. The rollout was successful - it allowed for better code maintenance and enabled large-scale changes that were previously considered impossible.

Google is opening up its Home platform to third-party developers through new APIs that build on the foundation of Matter. Developers looking to tap into the APIs will need to pass certification before rolling out their apps. Apps won't be able to access users' smart home devices without their explicit consent. Google plans to open up access to the APIs on a rolling basis. The first apps using them will hit the Play Store this fall.

Google’s latest core update targets sites that are mass-producing low-quality content. Marketers can still utilize AI responsibly for tasks such as drafting content and FAQS. It’s unclear if Google can actually detect AI-generated content. However, it can identify content that summarizes existing content and websites creating content at an unreasonable scale. The core update also gives paid search ads a boost.

Google announced it will no longer phase out third-party cookies in its Chrome browser, citing the need for more comprehensive solutions that balance user privacy and industry requirements. This decision comes after multiple delays and feedback from advertisers and regulators indicating that the transition was more complex than anticipated. Instead, Google will implement a new system that allows users to make informed choices about their web browsing privacy settings.

Google has launched its August 2024 core update to Google Search. The update is designed to improve the quality of search results by showing more content that people find “genuinely useful” and less content that was made for search engines. The rollout may take up to a month to complete.

Google's AI Overviews, powered by the Gemini language model, faced heavy criticism for inaccuracies and dangerous suggestions after its U.S. launch. Despite the backlash, Google expanded the feature to six more countries, raising concerns among publishers about reduced traffic and misrepresented content. AI strategists and SEO experts emphasize the need for transparency and better citation practices to maintain trust and traffic.

Google has recently introduced AlphaChip, a groundbreaking AI-assisted chip design technology that utilizes reinforcement learning to optimize chip layouts. This innovative approach significantly accelerates the design process, allowing for the creation of chip floorplans in just a few hours, compared to the traditional timeline of up to 24 months for complex chips. The technology aims to enhance performance, power efficiency, and overall design quality, making it a valuable tool for companies like Google and MediaTek, which have already begun implementing it in their chip designs. Historically, chip design has been a labor-intensive and costly endeavor, particularly during the floorplanning phase. While existing AI-assisted tools have emerged, they often come with high costs, limiting accessibility. Google’s AlphaChip seeks to democratize this technology, making it more available to a broader range of developers. The system operates by treating chip floorplanning as a game, where it places circuit components on a grid and learns from each layout it creates, improving its efficiency over time. Since its inception in 2020, AlphaChip has been instrumental in designing Google's Tensor Processing Units (TPUs), which are crucial for powering various AI models and cloud services. The technology has evolved with each generation of TPUs, including the latest 6th Generation Trillium chips, enhancing their performance and reducing development time. Although AlphaChip has shown remarkable capabilities, human developers still play a significant role in the design process, particularly for more complex tasks. The success of AlphaChip has sparked interest in further research into AI applications across different stages of chip design, including logic synthesis and timing optimization. Google envisions a future where AI-driven optimization could revolutionize the entire chip design lifecycle, leading to faster, smaller, and more energy-efficient chips. As AlphaChip continues to develop, its applications may expand beyond current uses, potentially impacting a wide range of technologies in the future. In summary, Google’s AlphaChip represents a significant advancement in chip design technology, leveraging AI to streamline processes and improve outcomes. Its ongoing development and application could reshape the semiconductor industry, making chip design more efficient and accessible.

Google is reorganizing its teams to focus on integrating AI into its products. Its newly formed Platforms and Devices team will oversee Pixel products, Android, Chrome, ChromeOS, Photos, and more, while integrating AI natively into all of them.

This article contains an interview with Google CEO Sundar Pichai conducted the day after the Google I/O developer conference last week. Google is building AI into virtually all of its products. The company is currently rolling out AI Overviews in Search, a move that will change the internet ecosystem as we know it. Pichai says that injecting AI into Search is about creating value for users and that users are clicking on links at higher rates in the AI previews. There is a deep tension between Google's vision for the future and the very real fears and anxieties creators and website owners are feeling about how search has changed and how AI might change the internet forever.

The evolution of Google’s search features, specifically the introduction of “From sources across the web,” has raised concerns about search result fairness and accuracy. By prioritizing list-based content from big enterprises and neglecting original ideas from independent publishers, Google’s practices contradict its own content guidelines and exacerbate competition issues. Its practices diminish the visibility of original publishers and rely heavily on paid placements, perpetuating a cycle of unoriginality and commercialization in search results.

Google's source control system initially relied on a single Perforce server and faced scalability issues as the company grew. To address this, Google engineers developed Piper, a distributed source control system designed for massive scale. The migration from Perforce to Piper took over four years due to the deep integration of Perforce into Google's software ecosystem and the need to avoid disrupting production. However, the migration was successful and Piper is still used at Google today.

Google is testing a new interface design for its core search app that targets increased visibility featuring a revamped search bar and colorful quick-action buttons. Detached from Google's standard monochrome design format and principles of Material You, this development offers insights into a future post-Material You design strategy.

Google's internal code review tool Critique is highly rated among software engineers. This article looks at what makes Critique so good and explains how it pairs with Google's process of code review. It covers Google's guidelines for efficient code review, internal statistics on Google code reviews, and how Google uses AI effectively to speed up code reviews. Critique will never be open-sourced, but Google maintains a similar open-source code review tool called Gerrit.

Google has laid off at least 200 employees from its Core teams. The reorganization will involve moving some roles to India and Mexico. The Core unit is responsible for building the technical foundation behind Google's flagship products and for protecting users' online safety. The Core layoffs also include the governance and protected data group, which will be at the center of regulatory challenges facing the company. Affected employees have access to outplacement services and will be able to apply for open roles within Google.

Google has reaffirmed its commitment to a hybrid work schedule, distinguishing itself from other tech giants like Amazon, which recently mandated a strict return-to-office policy. During a recent town hall meeting, Google executives assured employees that the current hybrid work model would remain in place, allowing staff to work from the office at least three days a week. This decision comes in response to growing concerns among Google employees about the potential loss of their flexible work arrangements, especially after Amazon's CEO announced that all corporate employees would be required to return to the office five days a week starting in January. The topic of maintaining the hybrid work policy was a significant point of discussion during Google's "TGIF" monthly meeting, where employees had the opportunity to submit questions. The overwhelming majority of inquiries focused on the company's commitment to its existing work-from-home arrangements, reflecting a strong desire among staff for continued flexibility. In contrast, other companies, such as Salesforce, have also shifted back to a predominantly in-office schedule, further highlighting the trend among some tech firms to enforce stricter return-to-office rules. Despite the pressure from industry trends, Google leaders, including Alphabet CEO Sundar Pichai, emphasized that the current hybrid model is effective and will remain flexible as long as productivity levels are maintained during remote work days. This approach indicates a willingness to adapt to employee needs while ensuring that work performance does not suffer. A Google spokesperson confirmed the leadership's comments but did not provide additional details. Overall, Google's stance on hybrid work reflects a broader conversation within the tech industry about the future of work and the balance between in-office and remote arrangements. As companies navigate these changes, Google's decision to maintain a flexible work environment may serve as a model for others looking to support their employees' preferences while fostering productivity.

Socket Security protects applications from hidden malware in open source code. It goes beyond traditional scanners to find new threats and integrates with GitHub for developer fixes.

Google's LLM bugSWAT event challenged hackers to find security flaws in their AI systems. Participants Joseph "REZ0" Thacker, Justin "RHYNORATER" Gardner, and Roni "LUPIN" Carta discovered vulnerabilities in Google's AI features, including exploiting a GraphQL endpoint and leaking information from Google Workspace via Bard's new extensions. Their collective efforts earned them $50,000 with Thacker, Carta, and Gardner securing the top three competition places respectively.

Google's core code tooling team has trained a smart paste model that adjusts code pasted in based on the context. They found a 42% acceptance rate for 6% of all copied code.

Danny Sullivan, the Google Search Liaison, said that he expects the next core algorithm update to roll out in the coming weeks. These updates are not scheduled to a particular day, but rather launched once fully tested and approved.