Why We Build Digital Infrastructure in Rust

If you’re alive in 2024, you’re probably used to hearing a lot about cybercrime. Large hacks, such as thefts of customers’ personal information, seem nearly constant – and they’re only projected to accelerate in coming years.

Recent advances in software development tools, however, offer hope. In February, the White House Office of the National Cyber Director issued a memo encouraging the wider adoption of what are known as “memory-safe” programming languages. That shift could mitigate up to 70% of hacks, preventing attacks that are currently causing a shockingly large amount of economic damage.

SpruceID has been an early adopter of memory-safe programming since its founding in 2020 as part of our commitment to high standards of security. Just about all of our tools are built using the memory-safe language Rust. Read on to find out more about memory-safe programming, Rust – and why all software builders should be taking similar steps into a more secure future.

Death By a Thousand Memory Leaks

Hacks based on flawed memory management are a large part of the massive economic and social harm caused by hacking – what the Council on Foreign Relations has described as a “death by a thousand cuts.”  USAID estimated $8 trillion in economic damage from cybercrime worldwide in 2023. One analysis estimated that cyberattacks will cost the U.S. economy alone more than $350 billion this year. That’s more than 20 times what the U.S. federal government spends on feeding school kids.

Poor memory management is a common weakness in older but still widely-used programming languages like C and C++, and according to research by Google, memory is the root cause of roughly 70% of all system-level hacks. Very broadly, a program can be exploited when it loses track of a chunk of the short-term memory (RAM) that programs run on. Attackers can use uncontrolled or badly indexed memory to alter the intended behavior of a program. Spectre and Meltdown vulnerabilities, which exploit memory to inject malicious code, are still a threat years after their discovery.

Wider use of memory-safe programming languages is a system-wide way to address the ceaseless torrent of hacks. The White House notice (summarized here by Security Intelligence) follows a 2022 bulletin by the National Security Agency also encouraging the move towards memory-safe programming languages. It’s unusual for agencies like the NSA to issue specific software development advice, making this guidance particularly notable. 

The unusual push is justified because memory-safe programming presents the possibility of what might sound like a fantasy: dramatically reducing the prevalence of destructive hacks by attacking one of their root causes.

The Language of Choice for Secure and Reliable Solutions

SpruceID is committed to staying at the forefront of security standards. Our tools handle highly sensitive data and are trusted to verify its validity, often in high-security settings. With security as a top priority, we carefully design, develop, and deploy our solutions to meet these demands. That's why we build our secure applications in Rust, a programming language known for its memory safety and robustness. Its adoption by leading organizations highlights its suitability for building resilient, high-security systems, and we are glad to be part of this movement.

Rust is becoming increasingly recognized for its excellent design and is by far the most widely used memory-safe programming language. It has been integrated into critical components of Google, Linux, Windows, and Nvidia products. The February White House report can’t be seen as picking favorites, so it’s not explicit, but reading between the lines, it’s fairly clear that Rust is meant to be front and center for those mulling a path toward improved memory safety.

One of the more remarkable advantages of Rust, as Google reports, is that building new components with Rust provides security advantages even without re-writing or heavily modifying legacy codebases. That makes the transition far more efficient: Google began pushing Android development to memory-safe languages in 2019, and memory vulnerabilities have declined from more than 70% to just 24% of Android vulnerabilities in the years since - without overhauling existing code.

In November of last year, Microsoft announced that it was investing $10 million in improving developer tooling for Rust and integrating Rust into Windows and Azure environments. Microsoft also made a large contribution to the Rust Foundation, where SpruceID is also a member, and Microsoft engineers have said the Rust is mature enough to integrate into core components such as the OS kernel. Linux, the operating system that runs many industrial server systems, is also actively integrating Rust into its core architecture, shifting away from what devs consider “inherent weaknesses” in older languages.

While security is the headline, Rust does bring many other benefits. It leads to better performance in many circumstances, even in comparison to other modern languages like Go. Programmers also broadly consider it a pleasure to use: Rust is far and away the most “loved” programming language, according to a survey by Stack Overflow. Programmer Gregory Szorc has explained the appeal by describing Rust as a perfect mix of innovative ideas and user-friendliness. So an added benefit of Rust, and one we’ve definitely experienced at SpruceID, is that it makes it easier to attract and keep top coding talent.

One Important Piece of the Security Puzzle

While memory-safe programming languages like Rust are essential in reducing vulnerabilities, they’re only one component of a robust security program. At SpruceID, we recognize that creating secure systems goes beyond selecting a single language - it’s about designing, testing, and maintaining a multi-layered strategy for every stage of development and deployment.

Rust helps us uphold these high standards, but it’s integrated into a wider approach that includes rigorous protocols, continuous monitoring, and regular updates. Each of these components reinforces the security, reliability, and privacy that our users expect.

Rust is The Future

At SpruceID, we’re focused on building better identity systems, which are poised to become a more secure and more private system for managing our digital lives. Building on a secure foundation, and aiding the broader transition to memory-safe programming, is a natural extension of  SpruceID’s core mission.

This isn’t just about strong principles and good vibes, though - these recent government directives on memory safety are a strong signal that it’s the right strategic move, too. The White House sets guidelines for Federal contractors and procurement, so memory safety could become a requirement for those applications. Builders interested in working with the government should all be considering transitioning to memory-safe tools, and Rust is clearly at the top of that list.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.