Evaluating Use of a New Programming Language ~ Rust
ACM.450 Is it safe to use an open source language not supported directly by a vendor?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: AWS Security | Application Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I was writing about ideas for importing resources into CloudFormation.
Along the way I’ve been considering which “real” programming language I might use going forward to implement all of what I’ve been building. I was interested in golang because it has some built in safety mechanisms but hear more and more about Rust so looking into that as well.
Whenever I use a new product, service, programming language, or anything else in technology I look at two things first and foremost. I look at who created it and who maintains it.
I’ve written about this before in relation to supply chain attacks and added a variation of this information to the lab content when I updated the SANS material for a cloud security class I used to teach (originally written by Dave Shackleford, fellow IANS faculty member now.)
Before I use any open source software, I look at who wrote the software and who maintains it.
If you look at the GitHub repository for any open source software you can see who created it, who owns it, and who is actively contributing to the software. I also like to review the process for updating and reviewing the software and think about potential long term risks if things change.
I was recently considering whether I wanted to migrate some of what I am doing to Rust.
So of course the first thing I did was look at who created it.
In 2006, the software developer, Graydon Hoare, started Rust as a personal project while he was working at Mozilla.
It’s an interesting story and seems to be fine as far as I am concerned. Rust was created as a side project by someone working at Mozilla who later went to work on Swift at Apple. He is no longer involved in the project.
Who supports the software now? Well, Mozilla continued to support the software after he left until 2020. During the covid epidemic they laid off most of the Rust staff. So unfortunate.
Then, a foundation was created to support Rust.
Here’s what Wikipedia has to say about it, and if you don’t trust Wikipedia you can verify this against other sources:
So as I’m reading the above I notice one name in particular: Huawei. That’s a Chinese company. Chinese companies are subject to Chinese law. I wrote about that here:
Chinese law states that if anyone in China finds a vulnerability in some technology it must first be reported to the Chinese government first and not disclosed to anyone else. That causes me to pause and consider the implications.
That doesn’t mean everyone from China is bad — far from it. It just may be a concern because Chinese citizens and companies have to follow Chinese laws. If Chinese citizens or companies are involved in a project, do they have access to vulnerabilities others might not know about?
On the other hand, people in China might be more willing to use the language if they are involved in the process and can see for themselves no one is intentionally inserting malware and vulnerabilities for political reasons.
We can take a closer look and see what the risk might be in this particular case.
Take a look at the GitHub repository.
Scroll down to Contributors.
Here’s where you can see who is contributing the most to the open source software.
You can also look at what they are contributing. You can review the code and the issues related to anyone’s contributions.
I read something recently about monitoring for people who intentionally submit security flaws to open source software. I wonder what kind of review process rust has and who is in charge of it.
And no, your software scanner is not going to find every subtle logic error. Scanners can help find things humans miss or don’t have time to review, but in critical components, human review is the most effective and essential. I often have to set my scanners aside on penetration tests when they aren’t working properly and reverse engineer what is going on — and almost always come up with a load of vulnerabilities because companies were counting on scanners that weren’t really working.
In other cases, your scanner might be the problem:
I found this information about the Rust code review process:
Well, that sounds ok. Only one reviewer for updates but better than nothing. When people say they have policies that’s great but do they follow them? That’s what audits are for. Is anyone auditing the Rust review process?
Well, when you have open source software supported by “the community” who is going to pay for that audit?
We can learn something about Rust funding and operations here in the annual report (and you can find prior annual reports by changing the year in the link: https://foundation.rust-lang.org/static/publications/annual-reports/annual-report-2023.pdf)
The good thing is that Rust has support from many major high tech companies, not just one big one for the primary funding (like the Cloud Native Foundation which is primarily funded by Google.)
I like this section on security very much:
Aha — here’s something about security auditing. This sounds promising.
Well, nothing is foolproof and that’s not a ton of detail, but one thing I like is that there are multiple companies involved with divergent interests that will hopefully balance each other out and keep things transparent.
Also, if I start using the software I can take a closer look at it myself and see what I can find. 😊
Update —a couple days after I wrote this post, Google announced a new grant for the Rust Foundation:
Interesting!
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2024
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab