Microsoft has again embraced and all-but-endorsed open source, perhaps in preference to its own products and technologies.
This time the company’s expressed an ardour for Rust, the programming language spawned by the Mozilla Foundation.
Microsoft’s ardour emerged in a post from Gavin Thomas, principal security engineering manager at the company’s Security Response Center (MSRC) that cited research finding “the majority of vulnerabilities fixed and with a CVE assigned are caused by developers inadvertently inserting memory corruption bugs into their C and C++ code.”
The post argues that this isn’t entirely developers’ fault by stating, “A developer’s core job is not to worry about security but to do feature work.” It therefore suggests they need “a development language where they can’t introduce memory safety issues into their feature work in the first place”.
Such languages exist. As the post points out, C++ is pretty good at this. So is the Microsoft-developed C#.
But MSRC thinks what the world needs now is “all the memory security guarantees of languages like .NET C# combined with all the efficiencies of C++” and concludes that “one of the most promising newer systems programming languages that satisfy those requirements is the Rust programming language originally invented by Mozilla.”
Thomas then wrote that, “You’re probably used to thinking about the Microsoft Security Response Center as a group that responds to incidents and vulnerabilities.
"We are a response organisation, but we also have a proactive role, and in a new blog series we will highlight Microsoft’s exploration of safer system programming languages, starting with Rust. Please do join us on our journey.”
It’s unclear if Microsoft has used Rust on products or cloud services.
It is clear that Satya Nadella’s Microsoft is open to good technology regardless of its source, and is far less interested in crusading for its own products.