Rust and software security
Rust - again
I have no idea what is causing that: I am starting to learn Rust for - I think - a third time. Perhaps it is the Youtube bubble in which I’m flowing that is suggesting Rust-related videos; perhaps it is my ADHD brain trying to find something “new” after it got bored with Kubernetes training which took me too long. Whatever the reason, here I am, read to dive in.
Path
I’m basically following the paths outlined in a codingchallenges.fyi blog post I found some time ago. Here is the summary of what I did so far:
| Step | Hard (0 - 10) | Satisfying(0-10) | Notes |
|---|---|---|---|
| The Book | 3 | 7 | Just skimmed through |
| The Book - abridged version | 4 | 6 | Good reference and refresher, the repo seemd abandoned |
| Rustlings | 6 | 8 | Very engaging and insightful, esp. error handling and macros |
| Exercism Rust Track | 7 | 9 | The harder tasks, the bigger the satisfaction |
| Let’s Get Rusty | 3 | 5 | Nice when watched during exercise |
| Jon Gjengset | 8 | 6 | Too high a level, not for me yet, and I’m watching anyway |
I also found an excellent cheatsheet which allows to better organize/order/hook the knowledge in proper mindshelves (is there even an English word like this?). The graphical cues in memory layout and standard library types are really helpful.
Software security
Recently I found a Developing Secure Software free course (by Linux Foundation). Some links I found were:
- Concise guide for developing more secure software
- Floss best practices with a list of projects that got the badge
- https://deps.dev/ allows to find dependencies from/to packages and covers npm, go, maven, python, cargo and nuget
I’m reading this course right now.
How secure is Rust?
Smart guys in IT business have already answered this question - Rust protects from some of the CWE top 25 - but not all of them - and according to the security assessment from 2022 it is safer than Java. In particular, it protects better against OS Command injection, has better protection against data races and (optional) protection agains integer overflow.
Rust security resources
Here are some resources I haven’t read yet, for future reference:
- Secure Rust Guidelines
- High Assurence Rust book with opensource content hosted on Github Repo
- Programming Rules to Develop Secure Applications With Rust - it seems this one was issued by French government, in particular by French Cybersecurity Agency (ANSSI)
Rust vs other languages
Table from https://insights.sei.cmu.edu/blog/rust-software-security-a-current-state-assessment
Resources
- A reminder: CERT coding Standard for Java