The TIOBE Index, which tracks programming language prominence, ranks Rust in 13th place on its list of languages by popularity as of 2024 – which is high, but not high enough to place Rust on a par with other, more widely used languages, such as C and Java.
Yet, when it comes to programming languages that developers most appreciate – as opposed to those they actually use – Rust tops the list. According to the Stack Overflow Developer Survey of 2023 (the most recent available), a whopping 85% of coders “admire” Rust.
These findings beg the question: If Rust is not all that widely used, why are developers so excited about it? The short answer is that Rust helps solve some of the deepest security challenges facing today’s software developers. By extension, it helps transform the principles behind DevSecOps into actual practice.
For the longer answer, read on as we unpack what exactly makes Rust more secure, which other benefits it offers, and why developers should consider not just admiring, but also using, Rust today.
What is Rust?
The Rust programming language was created in 2006 primarily as a more secure alternative to languages like C++ and C++. The goal behind Rust is to deliver the speed and performance of these languages, while providing security protections that these languages lack.
What makes Rust secure?
Rust offers several features that help improve security, including:
- Variable validation: Rust checks variables when code is compiled to detect errors or mistakes that could create vulnerabilities in Rust applications.
- Ownership transfer: When resources are assigned in Rust code, Rust performs what’s known as ownership transfer, or a move. This deletes the prior owner of the resource (if any) and memory associated with it. From a security perspective, this ownership transfer is helpful because it reduces the risk of dangling pointers, which attackers could exploit to write and execute arbitrary code.
- Ownership-based concurrency: Similarly, Rust enforces rules, known as ownership-based concurrency, to restrict how threads can interact with each other based on resource ownership. This also helps to reduce the risk of leaving memory space open in ways that attackers could exploit.
In short, Rust includes built-in features that help to minimize the risk of security problems related to memory, like buffer overflow attacks and null pointer differences.
Advantages of Rust
These security protections, along with other Rust features, translate to a number of Rust advantages:
- Enhanced memory-related security: As we mentioned above, Rust reduces the risk of memory-related security vulnerabilities.
- High performance: Because Rust’s security features mostly involve compile-time checks, they don’t come at the expense of performance. Rust code typically executes at speeds comparable to high-performing languages like C and C++.
- Concurrency: Rust offers full support for concurrency and multithreading. Using these capabilities, developers can boost Rust performance further by designing programs to complete multiple tasks simultaneously.
- Efficiency: In addition to improving security, Rust’s advanced memory-management features help code execute efficiently – so much so, in fact, that Rust programs use substantially less electricity than those written in most other mainstream languages.
- Strong community: Developers who use Rust benefit from a large, dynamic, and enthusiastic community. It’s easy to find documentation and tutorials for Rust, and to get technical support from community members.
Rust use cases
A general-purpose programming language, Rust can support virtually any use case. It’s not just for situations where security is a top priority.
That said, because of Rust’s focus on security and efficiency, the language lends itself especially well to use cases where both of these characteristics are priorities. For example, if you’re writing a banking app that needs to run on smartphones with limited resources, Rust would be ideal because it will help you write a high-performing application while reducing security risks.
In the wild, you’ll find Rust powering a wide variety of applications. Microsoft uses Rust to write core Windows code, for example, and Amazon uses Rust for services like S3 and Firecracker.
How Rust puts DevSecOps into practice
At Checkmarx, what excites us most about Rust is how it puts the DevSecOps spirit into practice by helping developers adhere to security best practices.
It’s one thing to talk about DevSecOps, which means breaking security out of a silo and turning it into a responsibility that developers, security experts, and IT operations engineers manage collectively. It’s another to implement DevSecOps by ensuring that developers and IT engineers actually make security a top priority.
But as a language that automatically enforces responsible security practices during coding and provides built-in checks to reduce the risk of building and deploying insecure code, Rust helps make security an integral part of software development in practice, not just in theory. And it does this without requiring developers to work any harder than they would when coding in any language, or learn new tools.
To be sure, using Rust is not a guarantee that your code will be risk-free. Teams should still perform Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Source Composition Analysis (SCA) scans for Rust applications.
But when you use Rust, you can have greater confidence in the ability of your developers to write code that’s secure out-of-the-gate.
Securing Rust with Checkmarx
Because Rust is not a top programming language by popularity, not all application security platforms offer full-fledged support for Rust. But Checkmarx does. Rust is among the dozens of languages that Checkmarx supports. We don’t think developers should have to shy away from taking advantage of Rust’s security, performance, and efficiency benefits just because they can’t find good security testing tools for Rust.
Request a demo to learn more about how Checkmarx can help secure code written in Rust and virtually every other major language.