Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study

Programming languages such as Rust and Go were developed to combat common and potentially devastating memorysafety-related vulnerabilities. But adoption of new, more secure languages can be fraught and complex. To better understand the benefits and challenges of adopting Rust in particular, we conducted semi-structured interviews with professional, primarily senior software developers who have worked with Rust on their teams or tried to introduce it (n = 16), and we deployed a survey to the Rust development community (n = 178). We asked participants about their personal experiences using Rust, as well as experiences using Rust at their companies. We find a range of positive features, including good tooling and documentation, benefits for the development lifecycle, and improvement of overall secure coding skills, as well as drawbacks including a steep learning curve, limited library support, and concerns about the ability to hire additional Rust developers in the future. Our results have implications for promoting the adoption of Rust specifically and secure programming languages and tools more generally.

[1]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[2]  M. Lombard,et al.  Content Analysis in Mass Communication: Assessment and Reporting of Intercoder Reliability , 2002 .

[3]  K. Krippendorff Reliability in Content Analysis: Some Common Misconceptions and Recommendations , 2004 .

[4]  Ali Mili,et al.  An empirical study of programming language trends , 2005, IEEE Software.

[5]  Klaus Krippendorff,et al.  Answering the Call for a Standard Reliability Measure for Coding Data , 2007 .

[6]  Deen Freelon ReCal: Intercoder Reliability Calculation as a Web Service , 2010 .

[7]  Pavol Zavarsky,et al.  Trend Analysis of the CVE for Software Vulnerability Management , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[8]  Leo A. Meyerovich,et al.  Socio-PLT: principles for programming language adoption , 2012, Onward! 2012.

[9]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  Leo A. Meyerovich,et al.  Empirical analysis of programming language adoption , 2013, OOPSLA.

[11]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.

[12]  Emerson R. Murphy-Hill,et al.  Social influences on secure development tool adoption: why security tools spread , 2014, CSCW.

[13]  Jeffrey H. Meyerson,et al.  The Go Programming Language , 2014, IEEE Softw..

[14]  Emerson R. Murphy-Hill,et al.  Technical and Personal Factors Influencing Developers' Adoption of Security Tools , 2014, SIW '14.

[15]  Christopher B. Mayhorn,et al.  Quantifying developers' adoption of security tools , 2015, ESEC/SIGSOFT FSE.

[16]  Ciera Jaspan,et al.  Tricorder: Building a Program Analysis Ecosystem , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[17]  Christian Bird,et al.  What developers want and need from program analysis: An empirical study , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[18]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[19]  Andrew Ruef,et al.  Build It, Break It, Fix It: Contesting Secure Development , 2016, CCS.

[20]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[21]  Wayne G. Lutters,et al.  "It's Scary...It's Confusing...It's Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security , 2018, SOUPS @ USENIX Security Symposium.

[22]  Stefan Wagner,et al.  How Usable Are Rust Cryptography APIs? , 2018, 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[23]  Matthew Smith,et al.  "If you want, I can store the encrypted password": A Password-Storage Field Study with Freelance Developers , 2019, CHI.

[24]  Chris Parnin,et al.  Here We Go Again: Why Is It Difficult for Developers to Learn Another Programming Language? , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[25]  Peter Müller,et al.  How do programmers use unsafe rust? , 2020, Proc. ACM Program. Lang..

[26]  Mary Lou Soffa,et al.  Is Rust Used Safely by Software Developers? , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[27]  Yingying Zhu,et al.  RustViz: Interactively Visualizing Ownership and Borrowing , 2020, ArXiv.

[28]  J. Perkel Why scientists are turning to Rust. , 2020, Nature.

[29]  Yiying Zhang,et al.  Understanding memory and thread safety practices and issues in real-world Rust programs , 2020, PLDI.