The group dedicated to securing Rust — one of the hottest programming languages among development teams today, one embraced by Microsoft, Amazon, and the U.S. government — issued its first progress report last week.
The Rust Foundation Security Initiative program revealed in a 19-page report that it had made progress in completing an audit of the Rust ecosystem, completed several threat models to better understand the risks identified in the audit, and added some new tools to enhance security workflows for Rust developers and maintainers.
The Rust Foundation Security Initiative report states:
"The Rust ecosystem has not yet been the victim of a concerted effort to distribute malware among packages, but recent events in other open-source package repositories have highlighted the need for such monitoring."
Here's what you should know about the Rust Foundation Security Initiative's report — and why the programming language's audit and resulting new tooling matters for application security — and software supply chain security.
[ Get report: Software Supply Chain Security Risk Report | Join related Webinar: Do You Understand Your Software Supply Chain Risk? ]
Foundation report touts big changes
Based on the Rust Foundation's extensive audit, the Security Initiative group is introducing new programming ecosystem tools, which include:
- Painter—This open-source project completes a call graph across a crate ecosystem to reveal how crates relate to each other. In Rust, a crate is a self-contained unit of code that can be compiled and used independently. Crates can be used to create both libraries and executables. When a vulnerability exists in one crate, Painter allows users to more easily assess potential or active risks to other crates. The tool is aimed at addressing issues and determining risks when using other tools, such as Cargo Audit, which is used to audit Rust projects for security vulnerabilities. Painter allows users to determine not only whether a vulnerable dependency exists, but also whether the attack path is realized.
-
Crates.io admin console—When fully implemented, this establishes security guardrails for common operations. Developers believe this will advance the state of automation within the administration of crates.io, the crate registry for the Rust community.
- Sandpit—This ecosystem for scanning work-in-progress aims to create automated tooling and techniques for identifying possibly malicious crate activity on crates.io.
The hot programming language to watch
Rust has become one of the most popular new languages on the planet, Clive Thompson wrote in MIT Technology Review:
"There are 2.8 million coders writing in Rust, and companies from Microsoft to Amazon regard it as key to their future. The chat platform Discord used Rust to speed up its system, Dropbox uses it to sync files to your computer, and Cloudflare uses it to process more than 20% of all internet traffic."
Thompson noted in his post that in an annual poll of developers around the world conducted by the coder discussion board Stack Overflow, Rust has been rated the most "loved" programming language for seven years running.
"Even the US government is avidly promoting software in Rust as a way to make its processes more secure."
—Clive Thompson
Rebecca Rumbul, the Rust Foundation's executive director and CEO, wrote in the foreword to the report that, just like the developers who are turning to Rust in increasing numbers to build performant systems, prominent government agencies are beginning to see Rust as a safer coding solution — particularly for software supply chain security.
"Indeed, the hardworking maintainers of Rust have always prioritized security and safety — many of its built-in features are evidence of this. Rust’s stellar reputation as a safety and security tool in coding has grown more robust along with its visibility, popularity, and adoption."
—Rebecca Rumbul
Rumbul said security enhancements showed the Rust Foundation's commitment to properly support the future of Rust and its growing community. "That’s why we launched our Security Initiative in September of 2022, with generous founding support from OpenSSF’s Alpha-Omega project, technical support from Platinum Member JFrog, and subsequent financial support from Platinum Member Amazon Web Services."
Reducing technical debt: Key to software supply chain security
The Security Initiative team noted in the report that its audit efforts are currently focused on software supply chain security. Assessment efforts include leaked secrets, malicious crate detection, and security best practices scoring models. While no malware was found, there were leaked secrets.
"The team has not identified any actively malicious crates thus far. Multiple cases of leaked credentials were discovered, and the team has actively contacted the affected owners."
The report also revealed that the Rust Foundation and crates.io teams collaborated in June to produce a statement on a shared general approach should either party ever receive a legally binding request for data.
Progress has also been made in reducing technical debt in crates.io. Key activities performed during the eight-month period of the report include:
- Fixing the handling of releases with build metadata in their version strings
- Migrating to the “secrecy” crate to avoid accidental leakages of credentials and other secrets
- Introducing cargo-deny to signal possible vulnerabilities, as well as avoiding using crates that have been abandoned or are no longer maintained and keep dependencies up to date with the latest security fixes
- Adding tracing information to many code paths
- Cleaning up broken crate files stored on S3
A pledge to be proactive
Ways of isolating questionable crates are also being considered by the Rust Foundation team, the report noted. For example, the team has written a request for comment for the ability to quarantine problematic crates after a set of security thresholds have been met.
If approved, the report explained, the feature will make it possible to keep a crate in a holding pattern from public use while security checks are made within the crates.io infrastructure to ensure its safety. Once the quarantine function is approved, the team plans to add it to the crates.io admin console.
The Rust Foundation is also working with its infrastructure team to begin documenting access control provisioning and de-provisioning within the Rust Project. In addition to documenting the process, the foundation wants to identify gaps and areas for automation or improvement.
The progress report said of its future focus:
"The goal over the next year is to ensure that proactive measures have been taken to prevent potential threats and bad actors within the Rust ecosystem, while also supporting the technical and people capacity to quickly mitigate any active vulnerabilities that may arise. This endeavor will require continued coordination and collaboration with the Rust Project, appropriate Project teams, and a growing group of diverse stakeholders."
Matt Rose, Field CISO for ReversingLabs, said he applauds the Rust Foundation for taking a proactive approach to software supply chain security, and general security overall.
"A lot of organizations take a reactive approach to security, along the lines of, 'It hasn't happened to me yet so I must not be vulnerable.' Actors that are looking to compromise software, applications, and software supply chains have unlimited time and resources to execute their attacks, so a proactive approach is a must."
—Matt Rose
