Cloud Providers Azure and AWS Recommend Software Developers Adopt Rust for Software Security & Sustainability Objectives

As users of tech, we often take software for granted, but the programing language used to underpin a cloud or endpoint application can have consequences for security, performance, latency, maintenance, and even sustainability. In a recent Twitter post, Mark Russinovich, the Chief Technology Officer (CTO) of Microsoft’s Azure cloud platform declared, “… it's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability, the industry should declare those languages as deprecated.”

It is not just Microsoft taking a proactive stance regarding Rust, in a blogpost (Sustainability with Rust) in February 2022, Amazon Web Services (AWS) Rust lead, Shane Miller, and principal engineer, Carl Lerche, advocated that Rust has become “critical to building infrastructure at scale.” The two engineers reported that Rust has been rolled out in Amazon’s Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), and Amazon CloudFront, among others.

But what is Rust? And what is driving its adoption in the software developer and cloud Application Programming Interface (API) and service space?

GitHub maintains a ranking, the PopularitY of Programming Language (PYPL) Index. The Index analyzes how often language tutorials are searched on Google. The more a language tutorial is searched, the more popular the language is assumed to be (See Table 1).

Table 1 shows that C/C++ is currently the 5th most searched programming tutorial term, whereas Rust is in 14th place, but it is growing in popularity. Indeed, Rust also shows the second fastest growth with +0.7%.

Specifically, Mark Russinovich advocates that Rust is preferable over C and C++ for new projects that require a non-Garbage-Collected (GC) language. A GC-enabled programming language includes one or more garbage collectors that automatically free up memory space that has been allocated to objects no longer needed by the program. GC ensures that a program does not exceed its memory quota. This not only affects performance, but also leads to a memory leak that can be exploited by malware or a hacker. Rust utilizes the “borrow checker”—ensuring that references do not outlive the data to which they refer as processed by the compiler. This prevents memory violation bugs. Memory leaks should not be underestimated. In 2019, Microsoft reported that 70% of all security bugs are memory safety issues. As the number of smartphones, tablets, laptops, and cloud services have grown exponentially, any vulnerabilities in programming software can expose valuable enterprise, business, and end-user data to malicious actors and software.

Rust was originally developed within Mozilla, but since February 2021, the development of Rust has been overseen by the Rust Foundation. Key partners in the Rust Foundation include Meta (Facebook), AWS, Google, and Microsoft, among others. Both Google and the Linux Foundation are carrying out evaluations and software builds with Rust for the Android and Linux kernels, respectively. In fact, Linus Torvalds announced recently that the next release of Linux Kernel would include integration with Rust, as only the second language, in addition to the original C.

There is no such thing as the perfect programming language. Many programming languages are often tailored to an application environment. Rust is a systems programming language, which allows the program to maintain control over low-level operations. The developer may be striving to develop a game title or need to develop a front end web development asset where Unity or JavaScript may be better suited.

Some of the proponents of C/C++ have highlighted its perceived operational performance in processing software tasks compared to Rust. As experience, training and software storage design have improved access to a program’s software libraries. A number of software developers have rolled up their sleeves and started to port C/C++ built programs into Rust. It is not just cloud service providers Microsoft Azure and AWS that have enthusiastically adopted Rust, but also a burgeoning collective of downstream software developers. At a P99 Conference, Brian Martin, software engineering team lead of Twitter, stated that not only did Twitter port a caching application to Rust, but also that the Rust-based program outperformed C. RisingWave, a cloud-native streaming database provider, declared that it had decided to rebuild its software in Rust from scratch after 7 months of development time in C++.

Software can even play a role in green economy initiatives. It is not just the financial cost of a software hack that should be considered, but also the indirect costs, which are not negligible. AWS stresses that efficient software code is essential, as software code has a significant multiplier effect in software applications and data centers. AWS cited an IEA report highlighting that data centers consume approximately 200 terawatts of power per year, which is equivalent to 1% of the planet’s total energy consumption. Major and direct energy consumption reduction strategies will be needed, but efficiency savings will need to be made across the board. Software bugs have led to Internet hacks that have led to entire clusters of computers and servers being decommissioned and even scrapped. The time, effort, energy, and manpower to update computers, etc. has to be considered a wasted resource. Rust is not going to save the world, but reducing the attack surface of the daily software programs can only be a good thing.

(Insights and commentary for this article were leveraged from ABI Research’s “Maximizing Green Initiatives In ICT” whitepaper.)