Microsoft Considering Future Development in Rust

Alec · Jul 18, 2019

Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again

Microsoft Security Response Center (MSRC) is waxing lyrical about the risks inherent in C and C++ coding, arguing it may be time to dump "unsafe legacy languages" and shift to more modern, safer ones. The Redmond-based biz has long been a C++ shop when it comes to the programming that matters most to the company – the Windows operating system and the core Office applications, for example.

Gavin Thomas, principal security engineering manager at MSRC, however observed:

The majority of vulnerabilities fixed and with a CVE assigned are caused by developers inadvertently inserting memory corruption bugs into their C and C++ code. As Microsoft increases its code base and uses more Open Source Software in its code, this problem isn't getting better, it's getting worse.

He added "perhaps it is time to scrap unsafe legacy languages and move on to a modern safer system programming language."
Click to expand...

A proactive approach to more secure code

What if we could eliminate an entire class of vulnerabilities before they ever happened?

Since 2004, the Microsoft Security Response Centre (MSRC) has triaged every reported Microsoft security vulnerability. From all that triage one astonishing fact sticks out: as Matt Miller discussed in his 2019 presentation at BlueHat IL, the majority of vulnerabilities fixed and with a CVE assigned are caused by developers inadvertently inserting memory corruption bugs into their C and C++ code. As Microsoft increases its code base and uses more Open Source Software in its code, this problem isn’t getting better, it’s getting worse. And Microsoft isn’t the only one exposed to memory corruption bugs—those are just the ones that come to MSRC.
Click to expand...

Alec · Jul 18, 2019

I think this is great news and very smart. I've been looking into Rust recently, and I think it is a very promising language that has done a lot of things right. I've been very impressed. Rust was originally designed and developed by some of the members of the Mozilla team. I think it really would greatly increase memory secure software design practices if the industry heavyweights such as Microsoft strongly embraced Rust.

While Rust is not what I would call a simple language (unique concepts such as ownership and lifetime add some complexity that other languages attempt to hide or sweep under-the-rug); it is rather an easy language to get started with and start learning as it includes a convenient and straightforward build utility named cargo and has a public package repository called crates. It is also quite fast, one of the few languages actually competitive with and sometimes exceeding C in speed.

stapp · Jul 18, 2019

Already posted about here thanks.

https://www.wilderssecurity.com/thr...soft-is-considering-alternatives-rust.418839/

Log in or Sign up

Microsoft Considering Future Development in Rust

Alec Registered Member

Alec Registered Member

stapp Global Moderator

Log in or Sign up

Microsoft Considering Future Development in Rust

Alec Registered Member

Alec Registered Member

stapp Global Moderator

Useful Searches