Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
In Search of Rust Developers, Companies Turn to In-House Training
Google, Fortanix, and other firms have aimed to train a cadre of Rust developers, betting that the additional cost will be offset by security savings.
October 2, 2023
As the benefits of using memory-safe languages become clearer, many organizations are shifting away from treating code written in Rust as experimental to fully supporting the language and encouraging widespread use. Recognizing that there aren’t enough developers who know Rust well enough, many of these organizations are also working on initiatives to help close that gap.
For example, Google trained more than 500 engineers in Rust in the past year using a three-day training course developed internally, says Lars Bergstrom, director for engineering for Google’s Android Programming Languages. The entirety of the course material is now published on the Internet.
"Providing our own training allows us to both focus on the features and tools required for our engineers to be successful at Google, as well as create a tight feedback and iteration loop as new people onboard and then provide feedback we can use to help the next set of learners," he says. "We decided to open source our Rust training based on an observation that it filled a gap in publicly available resources."
Embracing Rust
Organizations are increasingly paying attention to which application frameworks and programming languages developers are using as part of their efforts to secure the development pipeline. Rust scratches a particular itch: Whereas other languages — such as Go, Java, Kotlin, and Python — may be useful for creating scripts, Web applications, and cloud services, Rust is a replacement for the low-level C and C++ languages, often used to write operating systems, network software, and high-performance software, such as video games.
Rust had already resulted in far fewer memory-safety vulnerabilities in the latest version of Android, with that class of bug accounting for about a third of all vulnerabilities — the first time memory-safety issues accounted for less than half of all Android vulnerabilities.
Google is not alone in adopting Rust, of course. Microsoft has already embarked on porting Windows drivers for handling fonts and graphics to Rust. In March, Internet-infrastructure firm Cloudflare announced its revamped proxy framework, Oxy — the foundation of its zero-trust and various routing services — had been developed in Rust. Dropbox has also created its own cloud storage system, dubbed Magic Pocket, and a visual communication tool, Dropbox Capture, using Rust.
Yet all the companies have had to struggle with training their developers in Rust. (Perhaps proving the point, the blog post on Dropbox Capture concludes with, "Do you love Rust? Do you want to grow as an engineer? Dropbox is hiring!")
If You Can't Hire, Train...
As a result, concerted efforts are underway to develop training materials for Rust. Universities, boot camps, and online courses are all increasing to meet that demand, says Rebecca "Bec" Rumbul, executive director at Rust Foundation. Microsoft has released both an introduction to Rust for coders, Take your first steps with Rust, as well as a 35-part YouTube video series, Rust for Beginners. The Rust project also has its own resources, including a book, The Rust Programming Language.
The Google course, Comprehensive Rust, is available for anyone to take. The availability of comprehensive materials to help developers expand their Rust expertise may also help raise the language's profile, Rumbul says.
"While there are lots of training courses and providers delivering great Rust content, I'm not sure there are many on the same scale," she says.
Most developers feel comfortable writing Rust in 2 months. Source: Google
While Google has taken a formalized training route, other companies that rely on Rust have an ad-hoc approach. In the case of data-security firm Fortanix, where its core products were built in Rust, the developers had to teach themselves, says Anand Kashyap, CEO and co-founder of Fortanix, who worked with the development team.
"Fortanix does experience a shortage of knowledgeable Rust programmers, but it has found that good programmers, and especially good system programmers who know C/C++, can be trained to become good Rust programmers," he says. "Most engineers hired by Fortanix who write code exclusively in Rust had no prior Rust experience."
Most developers have little problem changing gears and learning the language, says Kashyap.
"Application programmers who have experience using Java, Python, etc., would find it relatively harder to learn Rust compared to system programmers who have experience writing software in C or C++," he says. "Many of the concepts in the Rust programming language are based on computer science fundamentals, and a good software engineer should learn them quickly after they understand them."
In fact, two-thirds of developers feel confident about writing Rust programs within two months, according to a Google survey of its developers.
Given the plummeting number of memory-safety issues in successive versions of the Android operating system, those two months spent learning Rust are well spent, says Martin Geisler, a software engineer at Google.
"The Android team has made a multiyear effort to first provide the technical foundation for this adoption organizationwide and also provide the necessary training," he says. "This is a strategic effort that prevents classes of security vulnerabilities and also brings increased productivity."
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024