
A proactive approach to more secure code - pjmlp
https://msrc-blog.microsoft.com/2019/07/16/a-proactive-approach-to-more-secure-code/
======
leshow
They are claiming up to 70% of the vulnerabilities can be avoided in a
language like rust, I think a good chunk of the other 30% can be avoided using
a language with a type system like rust's. I'm continually amazed at how much
an expressive type system can help minimize bugs

~~~
kiliancs
We've also seen dramatic changes in the amount of defects found after
migrating most of an app to TypeScript in strict mode.

~~~
leshow
Typescript makes writing large codebases in js actually possible. But it's
still missing a few things and there's not much they can do about it. Pattern
matching, and real support for sum types (not just having a 'type' field w/ a
string) would be at the top of my list I think. Working with type parameters
can also get a bit unweidly, and bounding them with the 'extends' keyword is a
pain in the ass. IMO of course.

------
skrebbel
Is this an influential body inside MS? Sounds like good news for the Rust
community that a team like this recommends that a bigco like MS explores Rust.

~~~
pjmlp
MS is already exploring Rust via Azure IoT Edge, VSCode search engine, Actix,
Firefox for HoloLens.

So it is positive that security group is also pushing for it, alongside .NET
and Core Guidelines for C++.

Now how much politic weight they are able to carry, remains an open question.
If WinDev was more sympathetic towards DevDiv probably Longhorn would have
actually happened, as proven by Singularity and Midori.

~~~
roca
Singularity and Midori relied on GC for memory safety, and that was a huge
problem for Longhorn/Vista because it was very difficult to write code that
would work reliably when memory is critically low.

Rust is a completely different story. Sure, Rust's standard library treats OOM
is fatal, which is the right thing for almost all application code, but it's
not difficult to create Rust libraries that treat OOM as a recoverable error,
or that don't allocate at all.

If the Singularity group had invented Rust instead of Sing# things might have
turned out differently.

~~~
pjmlp
Yet according to MSR Midori had no issues powering a portion of Bing in
production.

Multiple OSes have been written in GC enabled system languages.

Having a GC doesn't mean all memory is required to be GC allocated on the
heap, usually the same mechanisms of a language like C++ are also available,
e.g. Modula-3, System C#, D and so forth.

Joe Duffy clearly states in one of his Midori talks that WinDev did not
believe in Midori, even with it running in front of them.

------
CiTyBear
For those who wants to see some rust in action, here are some OSS tool written
in Rust and very efficient:

RipGrep[0]: Replace Grep and it is blazing fast

bat[1]: Replace cat with better display and colours

exa[2]: Replace ls with many more options

[0]:
[https://github.com/BurntSushi/ripgrep](https://github.com/BurntSushi/ripgrep)

[1]: [https://github.com/sharkdp/bat](https://github.com/sharkdp/bat)

[2]: [https://github.com/ogham/exa](https://github.com/ogham/exa)

I do not have any affiliation with them, I just use them a lot

Edit: formatting

------
_ph_
So 70% of the vulnerabilities are still caused by lack of memory-safety, and
that doesn't even account for all the defects that don't end up in a
vulnerability. Imagine how much more safety and correctness there would be, if
not only those 70% didn't exist, but no time had to be spent to fix them and
rather concentrate onto avoiding the other 30%.

~~~
pjmlp
Morris worm is 30 years old now, what allowed it is still pretty much 2019
regular C code.

------
vijaybritto
This would be a massive boost to the rust community as a whole as many would
have a look at it!

------
rurban
Replacing a safe language, C#, with an unsafer but faster language, Rust, is
of course fine, but then they shouldn't label it wrong.

------
tptacek
This isn't an advisory, it's just a blog post. We're meant not to editorialize
titles, and this one was a doozy; the appropriate title is "A proactive
approach to more secure code".

~~~
ChrisSD
I've noticed that happening a lot lately. It's frustrating because the blog
post is interesting on its own merits and doesn't need to have a click bait
title inserted.

~~~
mises
See the recent front-page post about "England selects new face of fifty-pound
bill" or something of the sort. The title of the linked BBC article included
that Alan Turing had been chosen, yet the poster chose to make it click-bait.

------
syxun
In other words, Windows is about to become slower.

~~~
Someone1234
Depends on which memory safe language they use and how (plus this blog post
isn't by the Windows team or about Windows specifically). The biggest thing
that slows Windows is lock contention, back-compat, and abstraction layers.
Those problems all remain regardless of language choice.

