Hello everyone. Thank you for joining. My name is Nish Kumar ti and I'm currently a senior cloud and application security engineer. Over the past decade, I've been deeply involved in securing enterprise scale systems across AWS Azure and GCP with the focus on integrating security directly into the development and deployment process, what we now call DevSecOps. I worked on building. And implementing security pipelines that perform compliance checks, vulnerability scanning, and real time threat detection for everything from traditional applications to modern serverless workloads like AWS Lambda and Azure functions. I have led migrations from traditional security platforms like Prisma Cloud to more advanced solutions like VIS IO closing gaps in container and server security. I have designed CSCD integrations that block insecure bills before the reach production. Combining tools like VCLI, fortify and AWS Inspector, I'm also involved in a PS security with nsec defining sensitive data handling strategies and onboarding PCA and non PCA workloads for continuous monitoring. Today's talk, building memory Safe DevSecOps at Enterprise Scale is about a challenge I've seen repeatedly over the years. I've seen a recurring challenge. Many security tools stem cells are returning memory unsafes languages like CC plus, which means the tools designed to protect us can introduce new vulnerabilities. That's what led me to. Explore rust. A language that eliminates entire categories of memory safety issues at compile time. Today, I wanna share with you how rust memory, safety, performance integration flexibility can help us build safe security tools we can trust, and how we can practically bring rust into our existing security pipelines. Without starting from scratch. So that's a bit about who I am and why this topic matters to me. Let's take a quick look at what we will cover today and so you know exactly what we are headed. Okay, here is what we will cover. First, we will look at rust. Memory safety advantage how its ownership model eliminates entire classes of vulnerabilities leading to up to 40% fewer security incidents. Next, we will explore technical implementations, real world examples like static analysis tools that block insecure code before it compiles lightning fast container scanners. Cryptographic pipelines that stop supply chain attacks and memory safe policy engines. Then we will review performance benchmarks showing how rust tools can ramp 10 next faster than go or Python language using 60% less memory with examples from CloudFlare Dropbox and discard. Finally, we will discover integration strategies so you can bring rust into your DevOp DevOps workflows, whether it's a Gate hooks Kubernetes administration controllers, or API gateways. Without major disruptions. Before we dive into RAs, let's first understand the problem we are solving. The memory safety crisis that's affecting almost every modern systems. The memory safety crisis. From memory, safety flaws are still top cause of critical security issues. The Microsoft reports. That 70% of its cvs come from memory safety bug problems like use after free buffer overflows, databases, plug plague C, like C plus because developers how to manually manage memory, traditional scanner detect these only after code is written. And runtime monitoring can slow down applications here, for example, in a real world case, a buffer flow. NAC plus based API gateway allowed attackers to arrive session data, gaining admin level access. This is issues that cost millions to fix and damages trust, and it's exactly the type of risk rust is designed to prevent. Now we, now that we know the scale of the problem, here is what rust changes the game. It makes the whole categories of these vulnerabilities impossible by design. Rust memory safety guarantees, and that changes the game by making entire categories of vulnerabilities impossible at compile time. It enforces ownership. So every piece of data has only one owner. Notable, freeze boring rules and safe. Ensure safe freeze and rights without corrupting memory. Lifetime. Make sure and nothing out lives. Its valid scope and fearless. Concurrency means no data. S even in multi multi-threaded code. If you build a container scanner or an a PA gateway, you are not just protecting applications, you are ensuring the tool itself is not a new attack vector. Vector. This is why companies like Dropbox have reported zero memory safety bug in rust based modules. And this is not just theory. When organizations switch to RAs, they see real world results. Let's talk about the measurable impact it's having. Enterprise impacts the name, the number speaks for themselves. Enterprise migrating critical components from CC plus to rust have seen a 40% drop in security incident. Properly, a written rust code has zero memory safety bucks, static analysis tools and rust can reach 95% detection accuracy with fewer false positives, meaning security teams spend less time chasing more noise and more time fixing real issues. For example, one of financial services, from I worked with Saudi vulnerability backlog, dropped by 30% in three months after introducing rust based scanning tools. So how do we actually put rust to work? Let's start with the static analysis, catching unsafe core practice patterns before they ever reach production. Static analysis tooling. Russ. Passing libraries, select Sim and Pro Marker two. Pro Max two Make it perfect for building static analysis tools. You can scan code at and compile times spots, SQL injections patterns and block in secure commits before they hit the ripple. Compared to go based scanners, rust tools run three times faster and compared to Python based tools, they are 10 times more. Reliable in a security pipeline. That means you can scan huge code base in seconds without bottlenecks. Imagine CI build that rejects the vulnerable API endpoint before it even deploys. Starting analysis protects code before it's built, but what about the things we package and ship? That's where container scanning comes in. Rust really shines there. What is container? Let's start from the basis basics. A container is a lightweight, portable package that includes an application and everything it needs to run the code. Libraries, runtime, environment variables and configuration files. Think of it. Think of it as a shipping container for software. It does not matter if the ship is AWS Azure, GCP, or on-prem. The container runs the same way. Docker and Kubernetes have made the containers the backbone of modern application deployment. The benefit containers are fast to start. Easy to replicate and scalable. But the flip side is you view package vulnerabilities inside your container. You are scaling those vulnerabilities everywhere. Why containers need security scanning, a typical container image can meet up of dozen of dozens of layers, often pulled from public repositories. This means, you are potentially narrating vulnerabilities from someone else. Score common container risks includes outdated base images using open two or 16 version, or that's reached end of life, and embedded secrets, like API, keys, passwords, lifting, some environment variables, vulnerable libraries like log four J everyone knows that. And or OpenSSL. Misconfigurations, insecure file permissions, et cetera. Real world example, in, in 2021, attackers com compromised Kubernetes clusters by exploiting containers running outdated alpine Linx images. That's why scanning containers before deployment is non-negotiable. How traditionally scanning works traditionally scanners pass the container image. Extract the file systems, layers and com compare and style packages like against known vulnerabilities database like NVD or vendor advisors. The problem with some existing tools, performance bottlenecks, scanning hundreds of images can take hours, memory leaks. Scanners in unsafe languages can themselves be exploited, false to use, noisy results. You know that wastes security team time. In CSCD, slow or unlevel scans lead to a tough trade off speed versus security. And then that's where Rust gives us a breakthrough. Coming to rust based container scanning, rust is designed let us built continuous channels that are fast, safe and accurate. The improvements rust brings are like zero copy passing. Parallel scanning, async reporting zero copy parsing with creates like bias. The scanners can read container layers directly from disk without duplicating data in memory. This means faster performance and no unnecessary memory use parallel scanning using, rion or we can use, we can scan 10,000 plus images per minute without breaking his feet. Sing. Reporting libraries like Tokyo let us send scan results to dashboards or security tools without blocking the scanner process end-to-end. Let's walk through end-to-end. Use case in in, in DevSecOps pipeline developer pushes code. That triggers the build pipeline Docker image built a base image plus an application code or packaged into your container, and then rust based scanner runs before the image pushed into the registry. The scanner analyze each layer. Checks, installed packages against CVE databases, flags, outdated O waste components or insecure configurations. Detect secrets left in code or environment variables and scan results. Evaluated if critical vulnerabilities are found, the pipeline blocks the deployment and sends results to, however integration has happened. It may be ServiceNow or Slack with xera image push to registry only clean. Ensuring production gets only safe, verified continuous by embedding the Rust Scanner here, you are shifting, security left, stopping vulnerability before they ever touch production. So in short, containers are powerful, but without scanning, they are high speed delivery systems for vulnerabilities. Speed is great, but trust is non-negotiable. A scanner written memory, unsafe language can be exploited via the very images in it. Inspects rust memory model makes entire classes of parser. And current concurrency bugs impossible by design. So that tools is not a new attacker phase. Restless as built scanners that are both faster, safer than a traditional tools, making it possible to secure containerized replications at enterprise scale without slowing in innovation. Now we have scanned the container vulnerabilities, but how do we ensure no one has tampered with it? Between build and deploy. That's where cryptographic validation steps in cryptographic pipeline validation. Supply chain attacks are on the rise. So everything so verifying your build artifacts is critical. Rust ring and results libraries give your memory safe. Cryptographic P use, avoiding the. Pitfalls of C based open SSL, you can sign and verify artifacts without unnecessary data copies using the risk of time of check to time of use at x discord implemented a rust based cryptographic verification and si a hundred percent drop in certain supply chain at accidents. And finally, even the, within the security measures we need to control. What runs in your environment? Let's see how RUS can power, memory, safe policy engines. Policy engines decide what's allowed in your systems and if they are compromised, you are in trouble with rust. You can compile policies on. Web assembly offered sandbox executions or ensuring they're run safely across platforms. You can validate configurations without risking buffer workflows or even hard swab policies without restarts. For example in Kubernetes, you could enforce that only signed images or deployed and updated the policy in amply without downtime. We are seeing the technical side. Now let's talk numbers. How much faster, safer, and more efficient or rust based tools compared to traditional ones. If you look at the slide here across real deployments at Dropbox, discord, and CloudFlare, rust based tools can morph faster. I use less memory and produce fewer false positive than go our Python. Equal XA numbers three to 10 times faster scans, 60% less memory use lower false positive rates, all without s sacrificing safety. That's the definition of security at scale. Of course, none of this matters it if it's too hard to adapt. The good news is you can integrate RA base tools into your workflows without. Major integration strategies. You don't have to rewrite your stack to benefit from rust. You can integrate a gradually pre-commit hooks to block, bad code add GitLab ca, jobs of and automated scanning Kubernetes admission controllers for runtime policy enforcement, and API gateway mill middleware for live request validation. Key takeaways. Rust eliminates entire classes of vulnerabilities at compile time. It delivers faster performance, lower memory use, and higher detection accuracy than traditional tools. You can start small dependency scanning with cargo, audit container scanning with rest based tools and grow from the grow from there, the future. Of secure infrastructure is not just better detection, it's making certain vulnerabilities impossible. Rust delivers on that promise. Thank you. Okay.