DevSecOps: Fortanix Adds Open Source Rust SDK to Build Encrypted Apps

There’s a lot of focus these days on DevSecOps as part of an effort to fix what’s generally acknowledged as a broken cybersecurity paradigm. But instead of trying to ensure every potential vulnerability is addressed before an application is deployed, another idea is gaining momentum among the DevOps community: Build applications that are secure in the first place, using modern programming languages.

Fortanix, at RSA Conference 2019, launched an Enclave Development Platform (EDP) based on an open source software development kit (SDK) written in Rust. The SDK is optimized for Intel Software Guard Extensions (SGX), which are extensions to Intel instruction sets that define private regions of memory, dubbed enclaves, that prevent data to either be read or saved by any process outside the enclave. Intel SGX is required to be on by default in the latest generations of Intel processors.

Company CEO Ambuj Kumar said Fortanix has been advocating the adoption of a runtime platform that makes it possible to process encrypted data in memory without ever having to expose it as plain text. By partnering with Intel to create a Rust-based SDK, the company wants to make it easier for developers to take advantage of an inherently secure programming language to invoke the Fortanix runtime.

Fortanix, which also provides access to a self-service key management service for managing encryption, recently received an additional $23 million in funding led by Intel Capital.

Kumar said Rust is gaining in popularity as a programming language because it is designed to include guardrails that prevent cybercriminals from injection attacks by corrupting code running in memory. In fact, Kumar noted that one of the reasons why cybersecurity professionals are now against deploying applications written in C or C# is because there are no such guardrails available.

The combination of Rust and Intel SGX doesn’t eliminate the need for organizations to define a set of best DevSecOps processes. But it does take a significant amount of pressure off developers who choose to build applications using a modern programming language to create applications that are not as easily hacked.

Naturally, it will take some time for developers to give up tools based on legacy programming languages that many of them have been using for years. But Kumar said Rust adoption is already spreading like wildfire because developers are looking for a way to eliminate cybersecurity issues that many are now being held accountable to resolve once they are discovered in a production environment.

Of course, billions of lines of legacy application code are not going to disappear overnight simply because a new programming language has come into vogue. But enhancing cybersecurity may very well become a compelling reason to rewrite some of those most mission-critical legacy applications, especially if they wind up improving the performance. After all, those legacy applications are targeted because that’s where the organization’s most valuable data resides. Of course, Intel is betting it won’t make sense to deploy those rewritten applications on processors that don’t support SGX. But whatever the rationale, the amount of time developers have to devote to ongoing cybersecurity issues is clearly limited.

— Mike Vizard