Security Platform API

I was part of the backend team building the core API for a security product. The codebase was written in Rust using the Rocket framework.

If you read standard Rust advocacy, the justification for using it here would be memory safety. In reality, memory safety was not our primary constraint, and we could have easily built this system in another backend language. Choosing Rust actually introduced significant friction into the development process.

The hardest problems we faced had nothing to do with borrow checking or concurrency. They were ecosystem problems. When you build B2B software in Java or C#, enterprise protocols are solved problems with mature, batteries-included libraries. In Rust, that tooling was either incomplete or nonexistent. We had to build the infrastructure ourselves.

“Choosing a language without a mature enterprise ecosystem means you spend a significant portion of your engineering time building protocol libraries instead of product features.”

The Integration Surface

The standard CRUD operations were trivial. The real engineering effort went into making the platform talk to legacy enterprise systems.

• Enterprise Provisioning: Implemented SCIM for Azure Active Directory user provisioning and built a separate integration for Google Workspace. Without high-level SDKs, we implemented these directly against their respective API specifications.
• Active Directory: Built an LDAP integration for synchronizing users from on-premise Active Directory environments.
• Email Ingestion: The platform needed to sync and parse emails. IMAP is an old, heavily fragmented protocol. Managing persistent connections, handling server-specific quirks, and parsing MIME attachments without blocking the runtime required careful design.
• Vulnerability Data: Integrated the platform with the NIST National Vulnerability Database (NVD) to ingest, process, and index CVE data continuously.

Working on this project clarified a specific architectural trade-off. Rust is an excellent systems language, but using it for a standard web application forces you to absorb the cost of a young ecosystem. The integrations worked flawlessly once built, but the time spent getting them there was steep.