In the cloud world, the attack surface for an application is much larger than in an on-premise deployment. Current commonly used languages provide limited support for security – over the past 20 years we have gone from 25 exploited vulnerabilities reported worldwide to 6,000+ reported on a year by year basis. What’s most alarming is that the top two vulnerabilities, buffer overflows and injections, have been known for over 15+ years, and most common languages used today in the cloud do not provide security support for these issues; i.e., applications written in these languages are prone to attacks due to inadvertent vulnerabilities written into the code by developers. As developers, it’s time to start using more secure languages in our applications.
In this talk I’ll summarise data on vulnerabilities during the past 5 years to explain why the need for secure languages. I’ll review the systems programming language Rust and it’s static language support for memory safety. I’ll discuss first steps by others in migrating parts of their C-based code to Rust, along with our experiences in porting the non-volatile memory library to Rust. I’ll review Perl and Ruby from the point of view of preventing injection attacks. I’ll also describe the concept of policy-agnostic programming, a new paradigm that prevents information leak attacks. With cloud deployments being the bread and butter in upcoming years, it’s time for a change; we need to start using more secure languages in our code development practices.