9/24/2024
Imagine you want to build a high-end jewellery store. You could build an open, friendly, accessible store that encourages browsing and trying the items on, similar to a clothes store.
The problem is that you’d be plagued by theft. To prevent this, you could employ security personnel to watch everyone, put a big fence around your store, search everyone as they leave, and put security tags on everything.
That would be a massive pain—and no one does it. Instead, they build a more secure store from the start. They don’t retrofit a bunch of security measures on top of an insecure design. That would be crazy.
And yet, that’s how we build many of our IT systems. Here’s why Rust Programming is the cyber security answer.
Writing Insecure Software
Software is hard to write. Large applications have lots of convoluted logic and complex dependencies. Furthermore, software requires a lot of custom components, making it impossible to assemble entirely from well-understood building blocks.
People (such as programmers…no snide comments, please…) struggle to keep track of that level of complexity. Bad actors count on this complexity to carry out cyber-attacks.
Modern programming languages, tools, and development processes have been created to help us. Unfortunately, we often don’t use them.
What?! Why?!
Inertia, lack of skills, legacy code, comfort, convenience—it’s a frustratingly long list.
Consider computer languages. C and C++ have been popular for decades. There are many programmers who have invested entire careers in mastering these languages. Millions of lines of code are written using them—including code that powers core infrastructure like operating systems. Windows, macOS, and Linux are all predominantly written using C/C++.
C/C++ are popular because they give you a lot of control and can be used to write efficient code—both things that are important when developing infrastructure. Programmers talk about such languages as being “close to the metal.” The downside to this level of control is that you have to be careful not to break anything. C and C++ don’t come with safeguards.
Working with C/C++ involves a lot of manual, explicit memory management. It’s very easy to get this wrong, and when you do, you open up security holes in your applications. Not ideal when those applications represent critical infrastructure.
C and C++ are great languages for building footguns. Footguns that efficiently remove both feet with one pull of the hair trigger.
Rust to the Rescue
It doesn’t have to be this way. Modern programming languages exist that help the programmer handle some of the complexity. C#, Go, and Rust are examples of popular enterprise development languages that try to prevent programmers from hurting themselves—and the rest of us.
Rust is interesting as it’s a “close to the metal” language, capable of providing the control and performance required when developing infrastructure. This makes it a viable replacement for C/C++ in many situations.
Industry Luminaries Agree
Microsoft Azure CTO Mark Russinovich said:
[...] it’s time to halt starting any new projects in C/C++ and use Rust [...]. For the sake of security and reliability, the industry should declare those languages [C/C++] as deprecated.
The US Government’s Cybersecurity and Infrastructure Agency (CISA) has also argued for the benefits of using memory-safe programming languages.
Innovations in Rust
Rust has a bunch of innovations that make it much harder for programmers to introduce security flaws into their applications, such as:
- Ownership System: Providing memory safety.
- Immutability: Reducing unintended side-effects.
- Strong Typing: Resulting in the tooling being able to identify issues overlooked by programmers.
- No Null Pointers: Rectifying Tony Hoare’s $1bn mistake.
How Can Your Organisation Benefit from Rust?
Adopting Rust brings many benefits to your organization:
- Enhanced Security: Rust is designed to write secure software. It’s in the DNA of the language and tooling.
- Increased Performance: Rust can be used to write highly performant code, resulting in a vastly improved user experience when replacing applications written in languages such as Python.
- Improved Reliability: Applications written in Rust have fewer bugs, resulting in less downtime for your systems.
- Cost Efficiency: Insecure software is expensive—downtime, damage to reputation, and fines can make the investment in Rust very attractive to a CFO.
- More Productive Teams: Google has reported that Rust developers are twice as productive as C++ developers.
- Easier Recruitment: Rust has been voted the most loved language for eight years in a row in Stack Overflow’s annual developer survey. The modern language features and powerful tooling make it a pleasure to use. Programmers enjoy working with good tools.
Real-World Applications
I’ve personally found Rust to be very effective when building large simulation models, such as in epidemiology or sports modelling. These applications perform billions of calculations, so they require blistering performance. It’s also very difficult to spot errors in this many calculations, so the checks performed by the Rust compiler help to produce accurate predictions.
Writing Secure Software
To be clear—Rust isn’t a panacea. It’s still possible to write insecure software using Rust. But it’s much harder than doing it with C/C++.
How can you use Rust in your organisation? It’s impossible to give advice that works for every situation, but it really can, sometimes, be as simple as training your programmers up and writing new code in Rust.
Getting Started with Rust
Learning Tree offers a two-day Rust Essentials course that covers the basics of the language. If you prefer to read, the official docs are well-regarded.
Insecure systems are increasingly a major risk to companies and governments. The time to write more secure software isn’t tomorrow. It’s right now. Get learning.
By leveraging Rust, you can build a cyber defence that is robust, efficient, and secure. Rust's innovations in systems programming, coupled with its focus on security, make it an indispensable tool for cybersecurity professionals, SecDevOps engineers, and Rust programmers alike.
For more insights on how to bolster your cyber operations and incident response mechanisms, visit our Cybersecurity Training and Talent Solutions.