Announcement: Rust Security Bootcamp!

caption (source: https://analyticsindiamag.com/ai-features/rust-provides-the-ultimate-security-against-hackers/)

A Rustacean’s journey through security vulnerabilities and a personal experiment in reimagining how we might learn cybersecurity

Disclaimer: I am NOT a security expert. I’d rather position myself as an enthusiastic practitioner. Therefore, please take a grain of salt for any strong claims I make, ideally with doublechecks with credible sources.

The Cathedral and the Bazaar of Broken Code

Picture this: It’s 2025, and yet another critical vulnerability has just been disclosed. The root cause? A buffer overflow in C code written by brilliant engineers at a top-tier company. Sound familiar? If you’ve been in the security space for more than five minutes, this scenario probably triggers a weary sense of déjà vu.

I’ve found myself staring at this same pattern repeatedly — watching incredibly talented developers make the same memory safety mistakes that have plagued our industry since the 1970s. Not because they’re careless, but because the tools we’ve traditionally used for systems programming make it nearly impossible to avoid these pitfalls entirely.

After working through countless security training materials and participating in team learning sessions where we’d struggle with the eternal dance of “write vulnerable C code, exploit it, then add band-aid mitigations,” something started bothering me. While there are really great security education courses out there, most traditional security courses to me more or less look like “write vulnerable C code, exploit it, then add band-aid mitigations”. Then whimsically a new idea came to my brain: What if we could learn security the way we should be building systems in 2025?

From Personal Study to Shared Experiment

This virtual bootcamp didn’t emerge from any claim to expertise — it grew from my own learning journey and the materials I wished had existed when I was studying these concepts.

I remember working through classic security texts like Ross Anderson’s Security Engineering and the Handbook of Applied Cryptography, implementing exploits from papers, and feeling this persistent disconnect. The foundational knowledge was invaluable, but I kept thinking: “This is how attacks worked in 1995. How should we be building defenses in 2025?”

During internal training sessions, I watched colleagues (including myself) struggle with a fundamental irony: we were learning to create the very vulnerabilities we were supposed to prevent. When I started experimenting with Rust for security-related projects, something clicked. Here was a language that let me understand both sides of the security equation — the attacks and the systemic defenses — in a way that felt more aligned with how I thought modern systems should work.

What you’re seeing here is essentially my attempt to create the learning path I wish I had followed — starting with the same foundational concepts from those classic materials, but approached through the lens of memory-safe systems thinking.

Why I Think Our Learning Approach Might Need Updating

The security education I experienced followed a predictable pattern:

  1. Study classic C vulnerabilities
  2. Implement exploits to understand the attacks
  3. Learn about mitigations (ASLR, stack canaries, etc.)
  4. Repeat with new vulnerability classes

This taught me invaluable lessons about attack patterns and defensive thinking. But I kept noticing something: 70% of the vulnerabilities I was studying were memory safety issues that modern languages simply don’t allow.

Meanwhile, I was reading about industry changes:

  • Linux kernel modules being rewritten in Rust
  • Microsoft moving Windows components to memory-safe languages
  • Google reporting that Rust adoption eliminated entire categories of vulnerabilities
  • Government agencies mandating memory-safe languages for critical infrastructure

I started wondering: what if I had learned these same security concepts, but in a context that showed me both the historical attacks AND the modern prevention techniques?

My Experiment with Rust for Security Learning

Why did I gravitate toward Rust for this experiment? It wasn’t because I think Rust is perfect or that C is obsolete – I’d make it clear that I am a huge Rust fan but advocate people in CS space MUST learn C seriously (no matter what language they use in real projects). It was because of something I noticed during my own learning process.

When I was studying buffer overflows, I’d implement them in C, exploit them, then learn about stack canaries and ASLR. But with Rust, something different happened: the borrow checker would stop me from creating certain classes of vulnerabilities, which forced me to understand the underlying memory safety principles at a deeper level.

The unsafe keyword became fascinating from a pedagogical perspective — it let me deliberately introduce the vulnerabilities I wanted to study, but within a context that made the safety principles explicit rather than implicit.

I wasn’t abandoning the lessons from classic security research. Instead, I was trying to build on that foundation with tools that made the underlying principles more visible and tangible.

The Virtual Bootcamp: Learning Experiment

What I’ve compiled here isn’t a claim to have invented better security education. It’s my attempt to create the learning experience I wish I had access to when I was working through these concepts.

The Structure I Found Helpful:

  • Morning sessions: Working through conceptual material (heavily borrowed from classic texts)
  • Afternoon sessions: Hands-on implementation (where I experimented with Rust approaches)
  • Evening reflection: Connecting new concepts to things I’d learned from traditional sources

Why I Think This Virtual Format Works:

  • Self-paced learning — I could spend extra time on cryptographic implementations when they didn’t click immediately
  • Real-world timing — I could study during actual security incidents and see how the concepts applied
  • Immediate experimentation — I could take ideas directly into personal projects or work discussions
  • Flexible scheduling — Perfect for learning around other commitments

Week 1: Starting Through Foundations

Days 1-2: Developing Security Intuition I started with mindset rather than code, drawing from materials like Schneier’s thinking about security economics. Then I experimented with Rust’s memory safety model by deliberately breaking it with unsafe code — a hands-on way to understand both the protections and their limitations.

Days 3-4: Understanding Classic Attacks in Modern Context I worked through classic buffer overflows and ROP chains, but implemented them in Rust to see both how these attacks work historically and how modern languages address them systematically. This helped me understand privilege separation and authentication in a more complete context.

Day 5: Crypto Foundations That Actually Stick Rather than just reading about cryptographic concepts, I implemented them. Starting with XOR ciphers and working up to AES gave me intuitions that purely theoretical study never provided.

Week 2: Connecting Historical Knowledge to Modern Practice

Days 6-7: Building Cryptographic Understanding
From implementing HMAC to generating RSA keys, I found that building these primitives myself (guided by the classic references) gave me much deeper understanding than just using libraries.

Day 8: Making Sense of Secure Communications TLS finally made sense when I implemented both client and server components. Even building a MITM proxy (ethically, for learning) helped me understand why certificate validation matters in ways that reading about it never did.

Days 9-10: Connecting Everything to Current Threats Web security and network attacks — seeing how all the earlier principles applied to today’s attack landscape was where everything came together.

Three Projects That Leverage Understanding

The bootcamp includes three substantial projects that represent different aspects of my learning journey:

Project 1: Exploit and Patch — Working through finding vulnerabilities in Rust code (using unsafe), exploiting them, and then refactoring to eliminate entire vulnerability classes. This exercise taught me more about defensive programming than any amount of theoretical study.

Project 2: Secure Chat — Building an end-to-end encrypted messaging system that puts cryptographic theory into practice. The debugging process when things inevitably didn’t work taught me more about protocol design than I expected.

Project 3: Hardened Web API — Creating a production-ready API with proper security controls. This is where I realized how all the separate concepts needed to work together in real systems.

Who Might Benefit from This Approach

I compiled this material based on my own background — someone lightly comfortable with fundamentals of systems programming (C/C++ experience) who wanted to understand security more deeply. If your background is similar, you might find this approach helpful.

This worked well for my learning style because:

  • I learn better through implementation than pure theory
  • I wanted to understand both attack techniques and modern defenses
  • I was motivated by seeing how concepts apply to current technology trends
  • I had the flexibility to work through material at my own pace

This probably wouldn’t work well if:

  • You’re completely new to programming (I’d suggest starting with Rust fundamentals first)
  • You prefer instructor-led learning with immediate feedback
  • You’re looking for quick overviews rather than deep implementation experience

My Learning Resources Arsenal

What I’ve compiled includes:

Study Materials I Found Useful

  • Guided notes that connect classic security concepts to modern implementations
  • Lab instructions that worked well for self-study
  • Project templates that helped me avoid getting stuck on setup details
  • Reading suggestions that enhanced rather than overwhelmed the hands-on work

Hands-On Experiments

  • Ethical vulnerability exploration in controlled environments
  • Real cryptographic implementations (not just toy examples)
  • Network simulation tools for understanding attack patterns
  • Progressive complexity that built understanding step by step

What I Learned About Learning Security

Working through this material taught me something unexpected: the choice of implementation language significantly affected how deeply I understood the underlying concepts.

When I implemented cryptographic algorithms in Rust, the type system helped me catch conceptual errors that would have become runtime bugs in C. When I worked with memory safety concepts, Rust’s ownership model made abstract principles concrete and debuggable.

This doesn’t mean Rust is inherently superior for all security work. But it does suggest that the tools we use for learning can shape how well we understand the concepts themselves.

An Invitation to Experiment

I’m sharing this compilation not because I think it’s the definitive way to learn security, but because it represents one person’s attempt to create a more integrated learning experience that connects historical security knowledge with modern development practices.

The cybersecurity field is evolving rapidly. Rather than waiting for institutions to update their curricula, some of us need to experiment with how we learn and share knowledge. This bootcamp is my contribution to that experimentation.

If this resonates with your learning style and background, consider it an invitation to try a different approach to security education. Whether you work through it in two intensive weeks or spread it across several months, the goal is the same: developing security intuitions that work in today’s technological landscape.

At the end of the day, building things that don’t break in the first place would be priceless regardless of domain you work in.

Welcome to the bootcamp! https://github.com/SaehwanPark/rust-security

This learning experiment starts with curiosity about whether we can understand security concepts more deeply by studying them in contexts that reflect how we should be building systems today. No claims to expertise — just one programmer’s attempt to create the learning experience they wish they’d had. Your security learning laboratory awaits, if you’re interested in trying this approach.

Ready to experiment with a different way of learning security? Let’s see where this path leads.