Blog

Where Are We? Nowhereville.

By Adrian Lane

It’s been about 11 months since the first time I ever spoke with Joshua Corman. He had this idea for a Rugged Software movement and wanted some feedback. After he filled me in on the concept, I told him I thought it was a good idea, and told him I was in. A few weeks later the Rugged Manifesto was published. There were a flurry of blog posts, and a bunch of email discussions, which ended February this year. Since then, I have heard … crickets. New stuff on RuggedSoftware.org? No. OWASP? Nada. Twitter? Presentations? Chat groups? Pretty much not a damned thing.

So what’s up, guys? Where is the movement? What problems have been solved? Don’t ask what is missing from software security; ask what’s missing from Rugged!

Josh, David, and Jeff … I am calling you out!

When the Agile Manifesto was originally published, there were a lot of frustrated software engineers who had specific problems, gripes, and issues that they wanted to address. They did not necessarily have the right answers, nor did they know what tools and techniques would work (either for themselves or for others), but they identified specific problems to address (lack of planning, fear, outside influencers, periodic validation, people’s inability to estimate, etc.), and had a bunch of stuff in their bag of tricks (peer programming, task cards, stories, test driven development, etc.).

The Rugged Software movement has some of the same ingredients: a bunch of frustrated security professionals want code to be secure. And many very public security failures illustrate the need. And we have the same piss-poor failure analysis and finger-pointing that looks very familiar as well. But I don’t think we have adequately identified the problems that contribute to insecure code, and we definitely don’t have a bag of tricks ready to go.

If you look closely at Agile techniques, most are actually process changes, without much to do with actual code. The processes were designed to address issues of complexity and lack of metrics, and to minimize negative human interaction. Do we have a similar set of guidance for Rugged? Nope.

What’s missing? At this stage, at least three things:

  1. Clear, concise, no-BS descriptions of the problems that lead to insecure code.
  2. Some simple techniques, tricks, and ideas to help people get around these problems.
  3. Some people to help get this rolling.

I am not trying to shove all this onto the backs of the three gents who started this movement. They need help. I want to help. And I know that there are many security pros and coders who will help as well. And I really don’t want to see another year of inactivity on this (sorry) ‘non-movement’. Ultimately I think Rugged is the right idea. But just like 11 months ago, there is a concept without direction. We don’t need a complete roadmap – early extreme programming sure wasn’t complete – but we do need to start moving the effort forward with some basics ways to solve problems.

I push. You push back. Or not. Your call.

No Related Posts
Comments

Hi Marisa,

You know your memes! Sneezing panda :)

I know I have told you before that I *think* Rugged is an idea I’d support and get behind but right now I just don’t get “it” based on what has been published so far. I don’t feel like I have anything to point developers to other than a manifesto and the fact they should say they want to be rugged. In my opinion that doesn’t give the developers anything really, I’d go as far as saying those people viewing the Rugged manifesto already have the desire to produce secure code and are looking for guidance on how to do that and not just a meme but that is just my opinion.

I’m the first to admit there are also flaws in my own ideas, the principles materials I’ve published need (and will get it January) an update and a lot more content.

I won’t be at RSA but I’m more than happy to talk with any of you about my ideas and secure development in general!

SN

By securityninja


I’d like to offer to help with organizing a Rugged Round Table at RSA. I think RSA is a perfect time for these mini-group meetups, and I’d bet it would ‘turn the tables’ as it were on our approach.
I agree with Josh that we need to identify where the gaps actually are, and not overlap with programs like SecurityNinja’s Principles of Secure Development. If Rugged is a meme, then we need a sneezing panda not a checklist.

By marisa@erratasec.com


Joshua,

To answer both your questions: Pragmatic advice.

I am all for conceptual models as they greatly help guide how one acts for complex projects. I like the Rugged Principles, but discussing the problem and taking some first steps into action is different. As you said, we have plenty of models, but where the ‘rubber meets road’ is lacking.

Rugged Round Table - I am there. We can meet during the week away from the parties, or at the very least, at Thursday’s Disaster Recovery B-fast. Email me or DM on twitter and let’s set this up.

-Adrian

By Adrian Lane


I’m of the oponion that (and have had the pleasure of seeing the rugged pitch by Josh personlly) it’s just still too silo’d, and like anything we want other’s to do proactivly must be some gain from it. Whether you are Dr. trying to get a patient to excercies, or a mechanic advocating regular oil changes the real motiviation question fis what needs to happen to change behavior.  Honestly, probably not something that is ever 100% achievable, but it starts IMO with perception changes and serious reprocations for failing to meet certain requirements.  I don’t want to make the argument that breaches are a good thing, but when I read about someone in there 50’s dying of heart failure I know my next move is to hit the treadmill.

By Dan


Hi Adrian,

I agree with the things you are saying about Rugged, I think the original idea isn’t a bad one but I don’t think it’s been executed very well.

As for whether it is the “right” idea I’m not sure. I might hold that opinion though because of a different approach I’ve been championing and releasing materials, tools etc for a long time now :)

As for your points 1 and 2 I’d point you to the approach I’ve been talking about at security and developers conferences for about two years now. The Principles of Secure Development and the Agnitio code review tool cover points 1 and 2 in my opinion. I think this approach covers most of the points in your blog. The one thing the principles lacked that Rugged had is big names like Jeff Williams promoting it and now we sit here with (in my opinion) the “wrong” one being well known.

I’d like your opinion on this but this approach has been adopted by some large companies and Agnitio has flown out of the blocks since I released it.

SN

ps - more than happy to work with the Rugged guys to see if our approaches should/could be combined if they asked.

By securityninja


There has been a great deal of activity and promise with Rugged since it was born on February 5th - 10 months and 5 days ago ;)

For those who criticize that it has not yet done enough, my question is:

    What would you consider sufficient “movement” for 10 months?

Further I ask:
 
    What are you expecting it to do?

We have plenty of frameworks and tools and Maturity Models. Rugged is a value to drive people toward efforts - not to make yet another of them. Though, the discussions Rugged has catalyzed have helped to test the gaps and obstacles in existing methods and communities.

Also, the fact that you haven’t experienced progress and/or success with it is not proof that it isn’t helping people and taking root. If it died tomorrow, the few people we have helped and informed already make it worth the effort.

I’d personally love it it if we snapped our fingers and had the issue fixed.

I’d love for more help and for more participation - and we’re starting to get it.
I’ve asked you for help, and this may be ~part~ of the way you provide it.
In all seriousness, your pragmatism and first hand experience with leading Agile development teams would make you a very powerful force for helping to shape Rugged and affect results within that community.

Though honestly, and as a pleasant surprise, a great deal of traction has been on the DEMAND side - the BUYER side of the software purchasing equation. When Demand is sufficient, Supply will follow. Being a bit patient, experimental, open, and willing to explore why we lack more rugged infrastructure has been very informative - and will only help us to better target what to do next year.

We knew this would take time, and I’ve personally experienced better-than-expected early traction.

I do like the idea of a “roadmap” and realistic expectations.
shrdlu’s proposal for a roundtable over drinks sounds good to me.

We’ve had modest early expectations to spread the meme and find support, both passive and preferably active.

Rugged has been making the rounds to gain understanding, acceptance, feedback within the various AppSec communities. Within DHS, the Software Assurance crowd has run with Rugged within their rather large sphere of control and influence. I’ve heard Joe Jarzombek includes Rugged in every one of his presentations. In fact, the next issue of CrossTalk magazine (The Journal of Defense Software Engineering) is 100% dedicated to Rugged. http://www.crosstalkonline.org/

Rugged has helped security executives finally secure funding for their software security proposals (including, but not limited to shrdlu’s initiative).

Rugged has made it’s rounds in the conference circuits and CISO events - even [more importantly] outside the security community. Most recently, Rugged was the keynote at the 1st BASC event - aimed as a first introduction to application security for Application Developers. It proved to be very accessible and motivational.

You’re not the first to throw stones or poke at Rugged - and you won’t be the last.
The issue is important enough [and the exposure is severe enough] that we’re not going to give up that easily.
We’re Rugged after all…

While I’ll accept your criticism, I’d prefer to accept your active help in 2011.

By Joshua Corman


As someone who has given at least four Rugged presentations in the last year and seen Rugged invoked in several more at OWASP ;-), I understand your frustration, AND invite you to start contributing what you say the movement needs.  This is really hard stuff, and it definitely won’t get worked out without additional leadership from people like you.

So here’s what I suggest:  we have a Rugged Round Table at RSA.  The agenda would be to roadmap* the next year and identify interested parties to help with it.  I’ll even buy the first round of drinks.  Whaddaya say?

*I blame @csoandy for this one.

By shrdlu


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.