Rust in Peace – A Better Programming Language (From A Cybersecurity Perspective)

Cybersecurity Architecture, Tools / 4 minutes of reading / Leave a Comment

Rust: A Language Built for Security

When data-security firm Fortanix launched in 2016, the company made a strategic decision to adopt the Rust programming language. The motivation behind this choice was to leverage Rust’s security strengths and performance capabilities. Fortanix built support for Intel Software Guard Extensions (SGX) using Rust and benefited from the language’s ability to mitigate memory safety issues. Jethro Beekman, Vice President of Technology and CISO for Fortanix, highlighted the tooling and compiler’s effectiveness in helping developers avoid mistakes. The success of Fortanix’s Rust adoption demonstrates the language’s value in building secure systems.

The Growing Popularity of Rust

The Rust language and its development platforms have seen a steady increase in popularity over the years. Although it may have a lower TIOBE rating compared to C or C++, Rust continues to attract more users annually. According to the Stack Overflow 2023 Developer Survey, Rust is considered the “most admired” programming language, with 85% of developers who used it expressing their desire to continue using it. This trend indicates a strong community of developers and organizations committed to Rust.

Microsoft’s Rust Journey

Microsoft, a sponsor of the Rust Foundation, has been actively exploring the use of Rust to enhance the security of its products. The company is rewriting parts of the Windows kernel using Rust and has already seen a 5% to 15% performance increase in early versions of the code. David Weston, Vice President of Enterprise and OS Security at Microsoft, acknowledges that the adoption of Rust is still in the early stages but affirms the commitment to integrating the language into Windows. This move highlights the potential of Rust in building more secure and reliable systems.

Google’s Rust Adoption

Google has also embraced Rust as a means to improve security and reduce memory-safety vulnerabilities in its Android platform. By transitioning from C and C++ to Rust, Kotlin, and Java, Google has observed a significant drop in memory safety vulnerabilities. Lars Bergstrom, Director of Engineering for Android programming languages at Google, recommends the use of Rust for authoring new C and C++ code when tight control over system resources is required. The National Security Agency also encourages the adoption of alternatives to C and C++ for security-critical code due to their reliance on developers avoiding mistakes.

Lessons Learned for Businesses

  • Consider adopting Rust for secure code development: Fortanix’s success story showcases the value of Rust in building secure systems. Businesses should evaluate the benefits of Rust’s memory safety features and performance for their own codebases.
  • Explore strategic adoption of Rust: While some organizations, like Fortanix, fully embrace Rust, others may choose a more tactical approach by gradually introducing the language into their codebases. Companies should assess their specific needs and determine how Rust can best enhance their security posture.
  • Collaborate with Rust-supportive organizations: The Rust Foundation, sponsored by Microsoft and other industry leaders, provides a platform for collaboration, knowledge-sharing, and community support. Businesses can leverage these resources to stay updated on Rust’s advancements and explore partnerships.
  • Invest in developer training and support: Rust may have a learning curve, but it offers significant benefits in terms of security. Providing developers with the necessary training and support can facilitate a smoother transition to Rust-based development.

Rust’s Business Enablement Objectives and SABSA Attributes

By adopting Rust, businesses can address several business enablement objectives and leverage relevant SABSA (Sherwood Applied Business Security Architecture) attributes.

Business Enablement Objectives:

  1. Improved Security: Rust’s memory safety features contribute to stronger security measures, reducing the risk of vulnerabilities and exploits.
  2. Enhanced Performance: Rust’s performance capabilities can lead to faster and more efficient code execution.
  3. Continued Innovation: Rust’s growing popularity and active community provide opportunities for collaboration and advancing technological innovation.

SABSA Attributes:

  • Security Architecture Attribute: Rust’s memory safety features and focus on security align with SABSA’s objective of building secure architectures.
  • Assessment & Assurance Attribute: Rust’s ability to mitigate memory safety issues and improve security contributes to assessing and assuring the effectiveness of an organization’s cybersecurity measures.
  • Business Attributes: Adopting Rust can help businesses address business enablement objectives such as improved security, enhanced performance, and continued innovation.

By leveraging Rust and considering the lessons learned from companies like Fortanix, Microsoft, and Google, businesses can enhance their cybersecurity strategies and build more secure and reliable systems.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top