'Unbreakable' was a stretch, 'Rugged' more attainable

CSO Senior Editor Bill Brenner on why the Rugged Software initiative is a big step forward in the quest for cybersecurity.

When Oracle launched its "Unbreakable" marketing campaign almost a decade ago, the idea was never to suggest its software could never fall victim to vulnerabilities and exploits. It was more a statement about being committed to the goal of making it unbreakable.

But when it used that word, expectations were raised to a level no software maker could meet.

People take words quite seriously in the security industry, and unbreakable meant it could not be broken. So in the years that followed, when tons of vulnerabilities were uncovered by the likes of researcher David Litchfield, Oracle suffered a reputational blow. To its credit, the database giant has worked feverishly to do better. Under the leadership of CSO Mary Ann Davidson, Oracle has put a rigorous security assurance program in place.

But the word "Unbreakable" still troubles the ears, because in my experience ANY piece of technology can be broken if someone is determined enough to make it happen. It's like a wise uncle once told me when our house was broken into despite the security system my father had installed: "If someone wants to get in, they're going to get in."

I'm much more comfortable with another word: Rugged.

Rugged doesn't mean it can never be busted. It does imply a toughness that's a lot better than what came before.

That's why I like the Rugged Software initiative founded by 451 Group Enterprise Security Practice Research Director Joshua Corman, Monterey Group Executive Director David Rice and Aspect Security CEO Jeff Williams.

When launching the initiative, the trio released what they call the Rugged Software Manifesto:

  • I am rugged and, more importantly, my code is rugged.
  • I recognize that software has become a foundation of our modern world.
  • I recognize the awesome responsibility that comes with this foundational role.
  • I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
  • I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
  • I recognize these things - and I choose to be rugged.
  • I am rugged because I refuse to be a source of vulnerability or weakness.
  • I am rugged because I assure my code will support its mission.
  • I am rugged because my code can face these challenges and persist in spite of them.
  • I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.

This is about building a new culture among software developers, one based on toughness and a commitment to keep striving for something better. It's also an acknowledgement that cyber evil can't be stopped entirely. Vulnerabilities will still happen and the bad guys will still exploit them.

But if the developers are rugged and the software they write is rugged, it's going to be that much harder for the dregs of cyberspace to make trouble.

This isn't the first initiative to force security into the code at the very beginning of the software development process. It's really what "Unbreakable" was all about, though the slogan broke the pane of reality. There's also BSIMM -- the Building Security In Maturity Model -- a set of best practices Cigital and Fortify developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success. Microsoft has its Security Development Lifecycle (SDL), which has become a favorite among developers in more recent years.

All these things have gone a long way in making software more secure, and everyone involve deserves praise.

But Rugged takes it a step further. The idea is that before the code can be made secure, the developers themselves must be toughened up. Vulnerabilities are the result of human error, and if you change the human attitude, good things will follow.

That's the hope, anyway.

Whatever the final outcome may be, it's good to see folks in the security industry thinking outside the box.

After all, rugged isn't something you can contain in a box.

Copyright © 2010 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.