The team is intended to support the broader Rust community with the highest level of security talent and help ensure the reliability of the language. While there sometimes has been a perception that, because Rust ensures memory safety, the language is 100% secure, Rust can be vulnerable like any other language, said Bec Rumbul, foundation executive director, in a statement released September 13. Proactive measures are warranted to protect and sustain Rust, she said.
The Rust security team is being underwritten with support from the OpenSSF Alpha-Omega Initiative, a Linux Foundation project focused on supply chain security for open source software, and devops platform provider JFrog. The OpenSSF Alpha-Omega Initiative and JFrog will provide dedicated staff and resources to implement best practices for Rust security. An initial initiative entails performing a security audit and threat modeling exercises to identify how security can be economically maintained moving forward. The team also will help advocate for security practices across the Rust landscape, including Rust’s Cargo package manager and the Crates.io registry.
The OpenSSF argued in its 10-point Open Source Security Mobilization Plan earlier this year that the industry should work to eliminate the root causes of many vulnerabilities by replacing non-memory-safe languages such C and C++ with languages such as Rust and Go. The OpenSSF Alpha-Omega initiative is funded by Google and Microsoft, with a mission to improve security in open source software projects.
Copyright © 2022 IDG Communications, Inc.