Are you Rugged or not?

It’s been awhile since we’ve heard about Rugged. A conversation with a friend yesterday has compelled me to bring it up again.

The conversation was about the various efforts unfolding to ensure more security is built into code at the beginning of the development process.

When the discussion turned to Rugged, my friend expressed skepticism. He said something like this:

“It’s just a manifesto. There are no specific items in there to force the creation of more secure code.”

That’s when I remembered something I wrote about Rugged back during the RSA Conference. I had just come from a dinner meeting about Rugged, and I had some raw thoughts on how this thing could work.

Since all has been quiet on the Rugged front — and because I think it would be useful to get the discussion going again — I’m going to repeat what I said in February. Please read and discuss:

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

SAN FRANCISCO, Feb. 16, 2011 — The concept known as Rugged is about a year old, but the people behind it are still searching for direction. Earlier this evening, they met in a pub near the site of RSA Conference 2011 to see if they could get closer to some answers.

The Rugged software initiative was founded by 451 Group Enterprise Security Practice Research Director Joshua Corman, Monterey Group Executive Director David Rice and Aspect Security CEO Jeff Williams. Since it’s inception, many more people have taken an active role in its development, most notably Marisa Fagan, security project manager for Errata.

Right now, the most tangible part of Rugged is its manifesto, which is aimed at developers:

–I am rugged and, more importantly, my code is rugged.

–I recognize that software has become a foundation of our modern world.

–I recognize the awesome responsibility that comes with this foundational role.

–I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

–I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

–I recognize these things – and I choose to be rugged.

–I am rugged because I refuse to be a source of vulnerability or weakness.

–I am rugged because I assure my code will support its mission.

–I am rugged because my code can face these challenges and persist in spite of them.

–I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.

Here’s the problem the folks behind Rugged are dealing with:

There’s a growing list of entities that are all about baking security into the development process. There’s OWASP and BSIMM (the Building Security In Maturity Model). There’s Microsoft’s Security Development Lifecycle and there’s the Software Assurance Forum for Excellence in Code (SAFECode).

All are valuable entities that have hammered out best practices and guidelines to force a stronger security mindset among the people who build the stuff companies live and die by.

Where exactly does Rugged fit in?

Does a developer community already under the gun need one more entity to tell them what they’re doing wrong and what they need to do to fix it?

As some extremely intelligent people sat at a table this evening discussing these points, I remembered a talk I had written about earlier in the day at BSidesSF.

In the security community, developers are often looked down upon as stupid and lazy. It’s an oversimplification of the problem that has done nothing to make things better.

That’s a point that was made this morning by Brett Hardin, senior software engineer at Symantec, during the opening talk of the day.

Hardin has been around the block. He’s worked as a pen tester, a product manager and, most recently, he’s taken on the role of “fixer” — trying to help bridge the gap between the developers and the breakers.

He presented the following scenario:

The builder (developer) mentality is to get it out there, make the features amazing and change the future. Builders are under a ton of pressure to create something quickly so it can be brought to market quickly, which is why vulnerabilities are left behind in the code.

The breaker mentality, he said, is “Make it fail,love pwning, and say it’s all about secure development.” There’s a certain level of arrogance in this crowd, he noted.

All of this was swimming in my head as the brainstorming continued.

And then something occurred to me: Developers have been given a list of best practices and various specs to follow for more secure code. But what’s often missing is the human touch.

Developers need an entity that will be their friend and guide them though all the stuff they’ve heard from the OWASPS and BSIMMs.They don’t need yet another set of rules.

They need someone to guide them through all the rules that exist. And they need to be treated with respect.

That’s what I think Rugged should be — the “fixer” Hardin talked about earlier. Someone who can guide the builders by the hand, treat them with the dignity they deserve and help them learn how to apply all the excellent guidelines the other organizations created.

Rugged can be the entity that bridges the various gaps and turns all the technical requirements into something far more tangible and, more importantly, human.

I approach this stuff as a journalist. I think the people at the table are a lot smarter than me.

But if there’s one thing I know something about, it’s that technology can be a cold, mechanical concept for the creator as well as the consumer. As a writer, my challenge has always been to humanize the subject matter.

And so I’ve offered my two or three cents.

Rugged is about more robust and secure code. But it can be so much more.

I have faith in the people behind it, though. I think they just might figure this one out.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a