The exploration of leveraging Rust was confirmed by Gavin Thomas, Principal Security Engineering Manager for the Microsoft Response Center (MSRC). “You’re probably used to thinking about the Microsoft Security Response Center as a group that responds to incidents and vulnerabilities,” Thomas said. “We are a response organization, but we also have a proactive role, and in a new blog series we will highlight Microsoft’s exploration of safer system programming languages, starting with Rust.” While C and C++ remain very popular, they are aging languages. Rust is a modern programming tool that is considered “memory-safe languages”. That’s because it is specifically designed to protect against vulnerabilities in memory corruption. It is worth noting Microsoft already has its own memory-safe language in C#. However, the company seems more interested in embracing the more mature Rust than waiting for C# to develop further. That said, development of C# will almost certainly continue even if Rust is adopted by the company.
Third-Party Developer Adoption
By exploring memory safe programming, Microsoft will put app security in the hands of language developers and not service developers. Thomas says third parties should also explore the use of memory-safe programming languages. Exploring the use of a memory-safe language such as Rust would provide an alternative to creating safer Microsoft apps. “A developer’s core job is not to worry about security but to do feature work,” Thomas said. “Rather than investing in more and more tools and training and vulnerability fixes, what about a development language where they can’t introduce memory safety issues into their feature work in the first place? That would help both the feature developers and the security engineers-and the customers.”