AnyVec Blog
Insights on security engineering, Rust programming, cryptography, and secure systems development
Zola
2026-04-17T00:00:00+00:00
https://blog.anyvec.com/atom.xml
Understanding Cryptographic Primitives in Rust
2026-04-17T00:00:00+00:00
2026-04-17T00:00:00+00:00
Unknown
https://blog.anyvec.com/posts/second/
<p>Cryptography is fundamental to building secure systems. In this post, we'll explore how to work with cryptographic primitives in Rust using the ecosystem's excellent libraries.</p>
<h2 id="choosing-the-right-crypto-library">Choosing the Right Crypto Library</h2>
<p>The Rust ecosystem offers several high-quality cryptography crates:</p>
<ul>
<li><strong><code>ring</code></strong>: Fast, safe, and thoroughly audited</li>
<li><strong><code>RustCrypto</code></strong>: Pure Rust implementations with extensive algorithm support</li>
<li><strong><code>sodiumoxide</code></strong>: Rust bindings to libsodium</li>
</ul>
<p>For this example, we'll use <code>ring</code> for its performance and security track record.</p>
<h2 id="hashing-with-blake2">Hashing with BLAKE2</h2>
<p>BLAKE2 is a cryptographic hash function faster than MD5, SHA-1, SHA-2, and SHA-3, yet is at least as secure as the latest standard SHA-3:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> ring</span><span class="z-keyword">::</span><span>digest</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name"> hash_data</span><span>(</span><span class="z-variable z-other">data</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span>[</span><span class="z-entity z-name">u8</span><span>]</span><span>)</span><span class="z-keyword"> -></span><span class="z-entity z-name"> Vec</span><span><</span><span class="z-entity z-name">u8</span><span>></span><span> {</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> digest</span><span class="z-keyword"> =</span><span class="z-entity z-name"> digest</span><span class="z-keyword">::</span><span class="z-entity z-name">digest</span><span>(</span><span class="z-keyword">&</span><span class="z-entity z-name">digest</span><span class="z-keyword">::</span><span class="z-constant">BLAKE2B_256</span><span>,</span><span class="z-variable z-other"> data</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span class="z-variable z-other"> digest</span><span class="z-keyword">.</span><span class="z-entity z-name">as_ref</span><span>(</span><span>)</span><span class="z-keyword">.</span><span class="z-entity z-name">to_vec</span><span>(</span><span>)</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name"> main</span><span>(</span><span>)</span><span> {</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> data</span><span class="z-keyword"> =</span><span class="z-string"> b</span><span class="z-punctuation z-definition z-string">"</span><span class="z-string">Hello, AnyVec!</span><span class="z-punctuation z-definition z-string">"</span><span>;</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> hash</span><span class="z-keyword"> =</span><span class="z-entity z-name"> hash_data</span><span>(</span><span class="z-variable z-other">data</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span class="z-entity z-name"> println!</span><span>(</span><span class="z-punctuation z-definition z-string">"</span><span class="z-string">Hash: </span><span class="z-string">{</span><span class="z-string">:?</span><span class="z-string">}</span><span class="z-punctuation z-definition z-string">"</span><span>,</span><span class="z-variable z-other"> hash</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span>}</span></span></code></pre><h2 id="authenticated-encryption-with-chacha20-poly1305">Authenticated Encryption with ChaCha20-Poly1305</h2>
<p>For encrypting data, always use authenticated encryption (AEAD):</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> ring</span><span class="z-keyword">::</span><span>aead</span><span>;</span></span>
<span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> ring</span><span class="z-keyword">::</span><span class="z-entity z-name">rand</span><span class="z-keyword">::</span><span>{</span><span class="z-entity z-name">SecureRandom</span><span>,</span><span class="z-entity z-name"> SystemRandom</span><span>}</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name"> encrypt_message</span><span>(</span><span class="z-variable z-other">key</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span>[</span><span class="z-entity z-name">u8</span><span>]</span><span>,</span><span class="z-variable z-other"> plaintext</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span>[</span><span class="z-entity z-name">u8</span><span>]</span><span>)</span><span class="z-keyword"> -></span><span class="z-entity z-name"> Result</span><span><</span><span class="z-entity z-name">Vec</span><span><</span><span class="z-entity z-name">u8</span><span>></span><span>,</span><span class="z-entity z-name"> Error</span><span>></span><span> {</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> rng</span><span class="z-keyword"> =</span><span class="z-entity z-name"> SystemRandom</span><span class="z-keyword">::</span><span class="z-entity z-name">new</span><span>(</span><span>)</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Generate a unique nonce</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-storage"> mut</span><span class="z-variable z-other"> nonce_bytes</span><span class="z-keyword"> =</span><span class="z-entity z-name"> vec!</span><span>[</span><span class="z-constant">0</span><span class="z-entity z-name">u8</span><span>;</span><span class="z-constant"> 12</span><span>]</span><span>;</span></span>
<span class="giallo-l"><span class="z-variable z-other"> rng</span><span class="z-keyword">.</span><span class="z-entity z-name">fill</span><span>(</span><span class="z-keyword">&</span><span class="z-storage">mut</span><span class="z-variable z-other"> nonce_bytes</span><span>)</span><span class="z-keyword">?</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> unbound_key</span><span class="z-keyword"> =</span><span class="z-entity z-name"> aead</span><span class="z-keyword">::</span><span class="z-entity z-name">UnboundKey</span><span class="z-keyword">::</span><span class="z-entity z-name">new</span><span>(</span></span>
<span class="giallo-l"><span class="z-keyword"> &</span><span class="z-entity z-name">aead</span><span class="z-keyword">::</span><span class="z-constant">CHACHA20_POLY1305</span><span>,</span></span>
<span class="giallo-l"><span class="z-variable z-other"> key</span></span>
<span class="giallo-l"><span> )</span><span class="z-keyword">?</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> sealing_key</span><span class="z-keyword"> =</span><span class="z-entity z-name"> aead</span><span class="z-keyword">::</span><span class="z-entity z-name">LessSafeKey</span><span class="z-keyword">::</span><span class="z-entity z-name">new</span><span>(</span><span class="z-variable z-other">unbound_key</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> nonce</span><span class="z-keyword"> =</span><span class="z-entity z-name"> aead</span><span class="z-keyword">::</span><span class="z-entity z-name">Nonce</span><span class="z-keyword">::</span><span class="z-entity z-name">try_assume_unique_for_key</span><span>(</span><span class="z-keyword">&</span><span class="z-variable z-other">nonce_bytes</span><span>)</span><span class="z-keyword">?</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-storage"> mut</span><span class="z-variable z-other"> ciphertext</span><span class="z-keyword"> =</span><span class="z-variable z-other"> plaintext</span><span class="z-keyword">.</span><span class="z-entity z-name">to_vec</span><span>(</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span class="z-variable z-other"> sealing_key</span><span class="z-keyword">.</span><span class="z-entity z-name">seal_in_place_append_tag</span><span>(</span></span>
<span class="giallo-l"><span class="z-variable z-other"> nonce</span><span>,</span></span>
<span class="giallo-l"><span class="z-entity z-name"> aead</span><span class="z-keyword">::</span><span class="z-entity z-name">Aad</span><span class="z-keyword">::</span><span class="z-entity z-name">empty</span><span>(</span><span>)</span><span>,</span></span>
<span class="giallo-l"><span class="z-keyword"> &</span><span class="z-storage">mut</span><span class="z-variable z-other"> ciphertext</span></span>
<span class="giallo-l"><span> )</span><span class="z-keyword">?</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Prepend nonce to ciphertext</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-storage"> mut</span><span class="z-variable z-other"> result</span><span class="z-keyword"> =</span><span class="z-variable z-other"> nonce_bytes</span><span>;</span></span>
<span class="giallo-l"><span class="z-variable z-other"> result</span><span class="z-keyword">.</span><span class="z-entity z-name">extend_from_slice</span><span>(</span><span class="z-keyword">&</span><span class="z-variable z-other">ciphertext</span><span>)</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name"> Ok</span><span>(</span><span class="z-variable z-other">result</span><span>)</span></span>
<span class="giallo-l"><span>}</span></span></code></pre><h2 id="key-derivation-with-pbkdf2">Key Derivation with PBKDF2</h2>
<p>Never use passwords directly as encryption keys. Always use a key derivation function:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> ring</span><span class="z-keyword">::</span><span>pbkdf2</span><span>;</span></span>
<span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> std</span><span class="z-keyword">::</span><span class="z-entity z-name">num</span><span class="z-keyword">::</span><span class="z-entity z-name">NonZeroU32</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name"> derive_key</span><span>(</span><span class="z-variable z-other">password</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span class="z-entity z-name">str</span><span>,</span><span class="z-variable z-other"> salt</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span>[</span><span class="z-entity z-name">u8</span><span>]</span><span>)</span><span class="z-keyword"> -></span><span> [</span><span class="z-entity z-name">u8</span><span>;</span><span class="z-constant"> 32</span><span>]</span><span> {</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> iterations</span><span class="z-keyword"> =</span><span class="z-entity z-name"> NonZeroU32</span><span class="z-keyword">::</span><span class="z-entity z-name">new</span><span>(</span><span class="z-constant">100_000</span><span>)</span><span class="z-keyword">.</span><span class="z-entity z-name">unwrap</span><span>(</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-storage"> mut</span><span class="z-variable z-other"> key</span><span class="z-keyword"> =</span><span> [</span><span class="z-constant">0</span><span class="z-entity z-name">u8</span><span>;</span><span class="z-constant"> 32</span><span>]</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name"> pbkdf2</span><span class="z-keyword">::</span><span class="z-entity z-name">derive</span><span>(</span></span>
<span class="giallo-l"><span class="z-entity z-name"> pbkdf2</span><span class="z-keyword">::</span><span class="z-constant">PBKDF2_HMAC_SHA256</span><span>,</span></span>
<span class="giallo-l"><span class="z-variable z-other"> iterations</span><span>,</span></span>
<span class="giallo-l"><span class="z-variable z-other"> salt</span><span>,</span></span>
<span class="giallo-l"><span class="z-variable z-other"> password</span><span class="z-keyword">.</span><span class="z-entity z-name">as_bytes</span><span>(</span><span>)</span><span>,</span></span>
<span class="giallo-l"><span class="z-keyword"> &</span><span class="z-storage">mut</span><span class="z-variable z-other"> key</span><span>,</span></span>
<span class="giallo-l"><span> )</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-variable z-other"> key</span></span>
<span class="giallo-l"><span>}</span></span></code></pre><h2 id="best-practices">Best Practices</h2>
<h3 id="1-use-high-level-apis">1. Use High-Level APIs</h3>
<p>Prefer high-level APIs that make it harder to misuse cryptography:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-punctuation z-definition z-comment">//</span><span class="z-comment"> Good: High-level API</span></span>
<span class="giallo-l"><span class="z-storage z-type">let</span><span class="z-variable z-other"> encrypted</span><span class="z-keyword"> =</span><span class="z-entity z-name"> encrypt_aead</span><span>(</span><span class="z-variable z-other">key</span><span>,</span><span class="z-variable z-other"> plaintext</span><span>)</span><span class="z-keyword">?</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment">//</span><span class="z-comment"> Avoid: Low-level primitives require expert knowledge</span></span>
<span class="giallo-l"><span class="z-storage z-type">let</span><span class="z-variable z-other"> cipher</span><span class="z-keyword"> =</span><span class="z-entity z-name"> Cipher</span><span class="z-keyword">::</span><span class="z-entity z-name">new</span><span>(</span><span class="z-variable z-other">key</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span class="z-storage z-type">let</span><span class="z-variable z-other"> encrypted</span><span class="z-keyword"> =</span><span class="z-variable z-other"> cipher</span><span class="z-keyword">.</span><span class="z-entity z-name">encrypt_block</span><span>(</span><span class="z-variable z-other">plaintext</span><span>)</span><span>;</span><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Easy to misuse!</span></span></code></pre><h3 id="2-generate-random-keys-properly">2. Generate Random Keys Properly</h3>
<p>Always use cryptographically secure random number generators:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> ring</span><span class="z-keyword">::</span><span class="z-entity z-name">rand</span><span class="z-keyword">::</span><span>{</span><span class="z-entity z-name">SecureRandom</span><span>,</span><span class="z-entity z-name"> SystemRandom</span><span>}</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-storage z-type">let</span><span class="z-variable z-other"> rng</span><span class="z-keyword"> =</span><span class="z-entity z-name"> SystemRandom</span><span class="z-keyword">::</span><span class="z-entity z-name">new</span><span>(</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span class="z-storage z-type">let</span><span class="z-storage"> mut</span><span class="z-variable z-other"> key</span><span class="z-keyword"> =</span><span class="z-entity z-name"> vec!</span><span>[</span><span class="z-constant">0</span><span class="z-entity z-name">u8</span><span>;</span><span class="z-constant"> 32</span><span>]</span><span>;</span></span>
<span class="giallo-l"><span class="z-variable z-other">rng</span><span class="z-keyword">.</span><span class="z-entity z-name">fill</span><span>(</span><span class="z-keyword">&</span><span class="z-storage">mut</span><span class="z-variable z-other"> key</span><span>)</span><span class="z-keyword">?</span><span>;</span><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Cryptographically secure</span></span></code></pre><h3 id="3-constant-time-comparisons">3. Constant-Time Comparisons</h3>
<p>Prevent timing attacks when comparing secrets:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-keyword">use</span><span class="z-entity z-name"> ring</span><span class="z-keyword">::</span><span>constant_time</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name"> verify_mac</span><span>(</span><span class="z-variable z-other">expected</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span>[</span><span class="z-entity z-name">u8</span><span>]</span><span>,</span><span class="z-variable z-other"> actual</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span>[</span><span class="z-entity z-name">u8</span><span>]</span><span>)</span><span class="z-keyword"> -></span><span class="z-entity z-name"> bool</span><span> {</span></span>
<span class="giallo-l"><span class="z-entity z-name"> constant_time</span><span class="z-keyword">::</span><span class="z-entity z-name">verify_slices_are_equal</span><span>(</span><span class="z-variable z-other">expected</span><span>,</span><span class="z-variable z-other"> actual</span><span>)</span><span class="z-keyword">.</span><span class="z-entity z-name">is_ok</span><span>(</span><span>)</span></span>
<span class="giallo-l"><span>}</span></span></code></pre><h2 id="common-mistakes-to-avoid">Common Mistakes to Avoid</h2>
<ol>
<li><strong>Reusing nonces</strong> with the same key</li>
<li><strong>Using ECB mode</strong> (never use block ciphers without a mode)</li>
<li><strong>Rolling your own crypto</strong> (use audited libraries)</li>
<li><strong>Ignoring authentication</strong> (encryption without authentication is insecure)</li>
<li><strong>Hardcoding keys</strong> (use key management systems)</li>
</ol>
<h2 id="conclusion">Conclusion</h2>
<p>Rust's type system and memory safety make it an excellent choice for implementing cryptographic systems. Combined with well-audited libraries like <code>ring</code>, you can build secure applications with confidence.</p>
<p>In our next post, we'll explore cryptographic protocol implementation and how to avoid common pitfalls when building secure communication systems.</p>
<hr />
<p><em>Want to learn more? Check out our <a rel="external" href="https://github.com/AnyVec">GitHub</a> for example projects.</em></p>
Getting Started with Secure Rust Development
2026-04-15T00:00:00+00:00
2026-04-15T00:00:00+00:00
Unknown
https://blog.anyvec.com/posts/first/
<p>Building secure systems requires both the right tools and the right mindset. In this post, we'll explore how Rust's type system and ownership model help prevent entire classes of vulnerabilities.</p>
<h2 id="memory-safety-by-default">Memory Safety by Default</h2>
<p>Rust's ownership system eliminates data races and memory corruption at compile time:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name"> safe_example</span><span>(</span><span>)</span><span> {</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> data</span><span class="z-keyword"> =</span><span class="z-entity z-name"> vec!</span><span>[</span><span class="z-constant">1</span><span>,</span><span class="z-constant"> 2</span><span>,</span><span class="z-constant"> 3</span><span>]</span><span>;</span></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Compiler prevents use-after-free</span></span>
<span class="giallo-l"><span class="z-entity z-name"> process_data</span><span>(</span><span class="z-keyword">&</span><span class="z-variable z-other">data</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span class="z-entity z-name"> println!</span><span>(</span><span class="z-punctuation z-definition z-string">"</span><span class="z-string">Data: </span><span class="z-string">{</span><span class="z-string">:?</span><span class="z-string">}</span><span class="z-punctuation z-definition z-string">"</span><span>,</span><span class="z-variable z-other"> data</span><span>)</span><span>;</span><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Still accessible</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name"> process_data</span><span>(</span><span class="z-variable z-other">data</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span class="z-entity z-name">Vec</span><span><</span><span class="z-entity z-name">i32</span><span>></span><span>)</span><span> {</span></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Borrow checker ensures no data races</span></span>
<span class="giallo-l"><span class="z-keyword"> for</span><span class="z-variable z-other"> item</span><span class="z-keyword"> in</span><span class="z-variable z-other"> data</span><span> {</span></span>
<span class="giallo-l"><span class="z-entity z-name"> println!</span><span>(</span><span class="z-punctuation z-definition z-string">"</span><span class="z-string">{</span><span class="z-string">}</span><span class="z-punctuation z-definition z-string">"</span><span>,</span><span class="z-variable z-other"> item</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span>}</span></span></code></pre><h2 id="common-security-pitfalls">Common Security Pitfalls</h2>
<p>Even with Rust's safety guarantees, there are still security considerations:</p>
<h3 id="1-unsafe-code-blocks">1. Unsafe Code Blocks</h3>
<p>The <code>unsafe</code> keyword allows bypassing Rust's safety checks. Use it sparingly:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-punctuation z-definition z-comment">//</span><span class="z-comment"> Avoid this unless absolutely necessary</span></span>
<span class="giallo-l"><span class="z-keyword">unsafe</span><span> {</span></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Your code here</span></span>
<span class="giallo-l"><span>}</span></span></code></pre><h3 id="2-integer-overflow">2. Integer Overflow</h3>
<p>Rust checks for integer overflow in debug mode but not in release mode by default:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-punctuation z-definition z-comment">//</span><span class="z-comment"> This will panic in debug mode</span></span>
<span class="giallo-l"><span class="z-storage z-type">let</span><span class="z-variable z-other"> x</span><span class="z-keyword">:</span><span class="z-entity z-name"> u8</span><span class="z-keyword"> =</span><span class="z-constant"> 255</span><span>;</span></span>
<span class="giallo-l"><span class="z-storage z-type">let</span><span class="z-variable z-other"> y</span><span class="z-keyword"> =</span><span class="z-variable z-other"> x</span><span class="z-keyword"> +</span><span class="z-constant"> 1</span><span>;</span><span class="z-punctuation z-definition z-comment"> //</span><span class="z-comment"> Wraps to 0 in release mode!</span></span></code></pre>
<p>Use <code>checked_add()</code>, <code>saturating_add()</code>, or <code>wrapping_add()</code> explicitly.</p>
<h3 id="3-input-validation">3. Input Validation</h3>
<p>Always validate external input, even in Rust:</p>
<pre class="giallo z-code"><code data-lang="rust"><span class="giallo-l"><span class="z-keyword">fn</span><span class="z-entity z-name"> parse_user_input</span><span>(</span><span class="z-variable z-other">input</span><span class="z-keyword">:</span><span class="z-keyword"> &</span><span class="z-entity z-name">str</span><span>)</span><span class="z-keyword"> -></span><span class="z-entity z-name"> Result</span><span><</span><span class="z-entity z-name">u32</span><span>,</span><span class="z-entity z-name"> ParseError</span><span>></span><span> {</span></span>
<span class="giallo-l"><span class="z-storage z-type"> let</span><span class="z-variable z-other"> value</span><span class="z-keyword">:</span><span class="z-entity z-name"> u32</span><span class="z-keyword"> =</span><span class="z-variable z-other"> input</span><span class="z-keyword">.</span><span class="z-entity z-name">parse</span><span>(</span><span>)</span><span class="z-keyword">?</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-keyword"> if</span><span class="z-variable z-other"> value</span><span class="z-keyword"> ></span><span class="z-constant"> MAX_ALLOWED</span><span> {</span></span>
<span class="giallo-l"><span class="z-keyword"> return</span><span class="z-entity z-name"> Err</span><span>(</span><span class="z-entity z-name">ParseError</span><span class="z-keyword">::</span><span class="z-entity z-name">OutOfRange</span><span>)</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name"> Ok</span><span>(</span><span class="z-variable z-other">value</span><span>)</span></span>
<span class="giallo-l"><span>}</span></span></code></pre><h2 id="key-takeaways">Key Takeaways</h2>
<ul>
<li>Use the type system to encode invariants</li>
<li>Leverage <code>cargo audit</code> for dependency scanning</li>
<li>Follow the principle of least privilege</li>
<li>Test with both debug and release builds</li>
<li>Document all <code>unsafe</code> blocks with safety invariants</li>
</ul>
<h2 id="next-steps">Next Steps</h2>
<p>In upcoming posts, we'll dive deeper into:</p>
<ul>
<li>Implementing cryptographic protocols in Rust</li>
<li>Fuzzing Rust applications for security</li>
<li>Secure coding patterns for async Rust</li>
</ul>
<p>Stay tuned for more security-focused Rust content!</p>
<hr />
<p><em>Have questions or suggestions? Reach out to us!</em></p>