The Rust Foundation outlined many improvements to the security structure of the language and expressed its commitment to developing tools, features, and recommendations based on security research in its Security Initiative Report.
The Rust advancements follow the White House’s National Cybersecurity Strategy Implementation Plan that signals a deep civic investment in more secure programming languages like Rust and how popular, growing languages that are perceived as “secure” need to work swiftly to address security gaps in the midst of this wider adoption.
One of the core pillars of the strategy is to “promote open-source software security and the adoption of memory-safe programming languages.” Among these languages, Rust is one of the fastest-growing and most used memory-safe options.
The Rust Foundation initiated an audit of the state of security within the Rust ecosystem that will allow both the Rust Foundation and project to anticipate risks better and define how security can be economically maintained on an ongoing basis.
This year, the Rust team aimed to enhance insights into crate security and emphasize information related to it. Their current focus is on software supply chain security, and they are working collaboratively with the Rust Foundation and crates.io teams. Their efforts involve revealing individual crate security information, including assessments for leaked secrets, identifying malicious crates, and creating security best practices scoring models.
So far, the team has not encountered any actively malicious crates. However, they have discovered several cases of leaked credentials, and they have taken proactive steps to reach out to the affected crate owners and address the issue, according to the report.
Also, threat modeling exercises have been conducted by the Rust Foundation and Rust Project to gain a deeper understanding of the risks highlighted in the Security Audit. The development of four distinct threat models involved collaboration with various internal teams, including the crates.io Team, Infrastructure Team, Security Response Working Group, and Secure Code Working Group, as well as external stakeholders. The details of all these threat models are expected to be shared with the community in the near future.