As I tend to do, lately I’ve been collecting evidence about the impact of memory-unsafe languages on computer security, for the purposes of strengthening the Rust argument. I’ve got plenty of (yet unsorted) links to opinions and clever quotes and some ad-hoc analyses (mostly from w/in the Rust community). I don’t think I’ve got enough firm data from reputable sources to be convincing to skeptics.
Is anybody aware of strong sources for concrete numbers like: quantity of code written in unsafe languages; percent of security vulnerabilities that are due to memory unsafety; financial impact of specific vulnerabilities, and in aggregate; financial impact of maintenance due to debugging segfaults; what proportion of the C++ industry defected to Java when it rolled out. I’m also interested in historic perspective - what was our industry thinking about this subject 30 years ago (need real sources, not anecdotes)?
I did some cursory searches of arxiv.org, but I have not much patience.
So does anybody have any great sources on this subject?