I had a long chat with Josh Corman yesterday afternoon about Rugged, especially as it applies to software development. I know this will be a continuing topic at the RSA conference, and we are both looking forward to a series of brainstorming sessions on the subject. One aspect that intrigues both of us is the overlap between Agile and Rugged as conceptual frameworks for guding developer decisions. I though this was important enough to blog up prior to the conference. The discussion went something like this:
Agile – as a concept – is successful because when the principles behind the Agile Manifesto are put into practice, they make software development easier and faster.
Agile development – embodied as one of many different process enhancements – is successful because they promote Agile principles.
When creating Rugged, mirroring Agile Manifesto was a great approach because both strive to adjust development’s approach to creating software. But the Agile Manifesto illustrates – through its 12 principles – how you should prioritize preferences and make tradeoffs when molding software.
Rugged has yet to define the principles that, when put into practice, promote Rugged software.
Rugged is missing embodiments – examples to guide practitioners – that describe and promote Rugged principles.
Rugged denotes a problem set (software is fragile, insecure, and feature-focused to the exclusion of all else) but lacks principles and a roadmap for fixing it. That’s the bad part, and the gist of my Twitter rant earlier this week. The good news is that the overlap between the two concepts provides plenty of examples of what Rugged could be. The more I think about it, the more I think the parallels between Agile and Rugged are important and serve as an example of how to approach Rugged development. There is sufficient overlap that several of the Agile principles can be directly adopted by Rugged with no loss of meaning or intent. Specifically, stealing from the Agile Principles:
- Welcoming changing requirements, even late in development …: Threats evolve rapidly, as do use cases and deployment models (Cloud? Anyone?). The fact that new security issues pop up like whack-a-moles is no different than new feature requests in web application development. The agility to respond to new requests and reprioritize on customer importance is no different that being agile enough to respond to risks. This principle applies equally well to Rugged as to Agile.
- Working software is the primary measure of progress: If your software does not compile, or is filled with logic errors, development efforts have not been totally successful. If your code is filled with security bugs, your software has variable functionality, then your development efforts have not been totally successful. When it comes to secure code development, I look at security as just another vector to manage on. It’s one of many factors that must be accounted for during the development process. Security is not your only goal, and usually not even the most important goal, but something important to account for. You can choose to ignore it, but if so there will likely be some major issue down the road. We are at that uncomfortable junction in the history of software development where we are seeing some firms have businesses disrupted by failing to manage risks posed by new code. Ruggedness should be a metric for progress.
- Continuous attention to technical excellence and good design enhances agility: I do threat modelling when building new software. I do it after the architecture phase and sometime during the design phase, because threat modelling finds weaknesses in my design choices. Sometimes they are logic flaws, sometimes communication protocol flaws, and sometimes it’s simply that the platform I was considering does support adequate security. Regardless, examining code with a jaundiced eye – looking for issues before they become serious problems – is all part of the design process. The scrutiny enhances product quality and Ruggedness. I have avoided problems before they became serious, because they were exposed during design, and those problems were easier to fix than ones I found later. That is only one example of the overlap.
- Build projects around motivated individuals: Coders are competitive. Developers have egos. Most developers want to write quality code, and to be recognized as experts who pay attention to detail. Most I have worked with are highly motivated to practice, to learn, and to get better. When there is a coding standard, they work hard to make sure their code meets it. They don’t want the code they checked in to crash the nightly build because everyone on the team will hear about it. If Ruggedness is part of the coding standard, and security checks are part of daily regression tests, there is no reason to expect the development team to do anything other than raise their game and meet the challenge.
- Simplicity – the art of maximizing the amount of work done – is essential: Developers are creative. Agile as a concept is intended to allow developers to think of creative solutions. Group discussions and open dialog, combined with rapid prototyping proofs of concept, all help find simple solutions to complex problems. Security problems fall to the same blade if you allow them to be addressed in the same way.
Unfortunately much of what I am proposing here is a heck of a lot easier when building new code, as opposed to retrofitting old code. I have lugged the burden of legacy software many times, and the restrictions imposed by some old glob of misbehaving garbage crushes inspiration and ingenuity. Bubble gum and duct tape are fun up to a point, but sooner or later it becomes just fixing someone else’s crap over and over again. With new code I contend that Rugged is simply good programming practices – and if incorporated efficiently it will make software designers, coders, and quality assurance teams better.
To some of you I am simply playing security jazz, this is all BS, and it really does not help you get your jobs done. And that’s fair. But Rugged is about changing mindsets and practices so your software does not suck. Frankly it’s early enough in the evolution of the Rugged ideals that we are still trying to build a community to contributes methodologies, tools, and experience that promote Rugged – whether in software development, IT management, or security operations. Can I provide a code library that will make you Rugged? Can I point you to a set of design choices that promote Rugged? Not yet, but I hope within the year we will see progress here. What worries me the most is that this post will be read and understood by the “security echo chamber”, but not the practitioners who must ultimately create the solutions necessary.
Reader interactions
10 Replies to “Good Programming Practices vs. Rugged Development”
SN-
Great points. As always I really do appreciate your honesty and straightforwardness. Your input from the beginning has gone a long way to shape what I think about the *potential* of Rugged. That’s probably the crux of our impasse, I see this as a potential project. One that, I’ll admit, is slow to emerge. But this pace has helped us see the scope more clearly. While developers (and the people tasked with helping developers write secure code) are a key stakeholder, we’re seeing that they aren’t the only ones, and getting buy-in from the broader tech community and customers is important too. But the verbal history is dead, and we can’t continue to just do speeches and talk one-on-one. We need the website to grow dramatically. I imagine this coming week we will decide what resources need to be on the site.
To clarify my point above, when I said Rugged could be a rally point, I didn’t mean customization shouldn’t happen. Quite the opposite, I think customization is necessary. But there are things every program has in common, and perhaps Rugged can be a face for those commonalities. It’s a program-neutral term that says “It doesn’t matter which secure coding program you adopt, but you make security a priority in your spending and in your culture.” Remember, the foundation of Rugged is as a meme, a culture cue, not a set of directions. Your question of “how does that help me deliver secure code” is a valid one, but I would argue that Rugged has been with you all along. The care that you put into the robustness and security of your code comes from inspiration as well education. Many companies are addressing the education aspect, but who is taking on the inspiration angle? (If you don’t think inspiration is a commodity that can be produced, ask Coca-Cola or Nike.)
The last question I like to consider is who is actually responsible for secure code? The developers I know are generally not stupid or lazy. They care about the code. So where does the ball drop? An answer I’ve frequently heard is *-level management. So Step 0 is getting those players inspired to be Rugged.
Okay, that’s probably enough of my thoughts for now. Thanks again Adrian, SN, Jim and Jim for the thought provoking comments. Keep ‘em coming.
Developers alone cannot progress the issue of rampant insecure code. Supply without suffiecient informed Demand has kept AppSec spending the smallest part of the Security Spending Pie.
The bulk of the success of Rugged to foster informed, Non-Security, Non-Developer Demand has drawn most of the year one focus of the early advocates.
It isn’t that we aren’t hearing you, it was a matter of the above focus, execution, and broader mission.
This Summit is to better listen and action to the criticism and gaps.
To your point(s), the least success has been working with the Developers that we’ll need to help embrace and fulfill the broader demand we’re fostering. It isn’t that we’re not listening, it’s that we’ve defined Rugged as an economic/value/ecosystem/awareness problem in which secure coding is a participant – a vital one.
We have to engage security and non-security people better this year – starting now. Adrian and yourself can be critical to helping bridge this gap.
Even if we’d done zero with development (which is untrue), Marisa and other advocates know we did a great deal with the buyers, consumers, demand side of the ecosystem. There was Developer success as well – but on a small conference-by-conference level.
We have a good group assembled for next Tuesday night’s summit. We’ll have specifics after that. Better definition and sub-community definition will follow.
2010 was very successful at finding footing with fostering informed, genuine Demand. We will seek to better frame/bridge the who system and supply side going forward.
Sometimes I think I’m being slow but I don’t really see what Rugged has done to make you see it like that Marisa.
I agree with some of your points but companies do need to customise these things. I had this conversation with (I think) Steve Lipner at RSA Europe last year about how the MS Threat Modeling and SDL processes are great but not useful for most companies, you have to customise them. I don’t understand why you feel that is a problem and why Rugged is going to make a difference with that.
I will be honest as always and say that the comment from Josh and some parts of the one from yourself still don’t tell me what Rugged is or more importantly how it will help anyone deliver secure code.
My biggest frustration is that I don’t think Rugged is really listening to what people outside your “group” are saying. You have had three people comment here who are either developers or someone tasked with helping development teams write secure code (both in some cases) who either don’t get Rugged or don’t see its value. Unless you get those kind of people on board, people who I would assume are your target audience you won’t achieve much.
SN
For me, Rugged is about encompassing a growing number of “competing” methodologies, and creating a rally point that everyone can share. The secure coding club already suffers multiple identity crises. When an organization signs on for a secure coding program, they take it and customize it to be their own in such a way that is barely recognizable to the original document. It is helpful to have an organization that is outside of the confines of a single prescription, where practitioners of all the SSDLCSPs can share and be joined. A neutral space such as this is more likely to be accessible not only to every vendor, but to customers as well. I realize this is only a piece of the big picture, and in a group like this that is filled with Big Thinkers the potential is huge. This thread has me very encouraged for conversations to come in SF next week!
I’m certainly relieved to see I’m not the only person with these views!
@Josh I can tell you are passionate about Rugged but it really does need to push on big time now. I think in some ways you might have missed the boat a bit by not capitalising on the buzz and interest created by your initial Rugged presentation.
Like Jim Manico I feel I have to quote Jim Bird here:
“I’m a software guy. I don’t need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure. I don’t see anything useful, anything that I can use at all in Rugged.”
That is almost the exact same response I got when I put the Rugged idea/concept/meme to our developers.
I don’t necessarily think Rugged is a bad idea, I still don’t fully understand what the end goal is but personally I’d have called it something different and approached this in a completely different way.
SN
I agree with the naysayers. This is, as we developers call it, “pre-alpha”. It’s marketing, sales, fluff-ware, vaporware, exaggeration, wagging the dog. Yet another example of security guys doing the *exact opposite thing needed* to encourage and motivate developers to write more secure software.
As Bird eloquently said, “I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure.”
When Rugged even *begins* to deliver this, I’ll be waving the flag.
Adrian,
I don’t see the parallels between Rugged and Agile Development. And I don’t see the point of a Manifesto for Rugged, at least not yet.
Rugged is well-intentioned, it has the right goals, but it started off wrong. When some of the people who were leading new, lighter-weight ways of developing software like XP and Scrum and whatever got together 10 years ago and put out their “Agile Development Manifesto”, they were documenting the ideas and values that they held in common. Agile development didn’t start with a Manifesto. These people were already doing Agile development – they just didn’t call it that yet. They published their statement after they were already doing something useful, not before.
I’m a software guy. I don’t need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure. I don’t see anything useful, anything that I can use at all in Rugged. Rugged seems to be some kind of branding exercise – some slides and tweets, and nothing behind it. This hasn’t changed since it was announced. Go to the Rugged Software blog. Apparently only Alun is Rugged – or was a year ago, maybe Alun gave up. Check out the discussion group. Nothing.
In the year since Rugged was announced, I have not met another developer who has even heard about it – and maybe that’s a good thing. I agree with securityninja: the world already has OWASP, which has tools and committed people behind it. Rugged doesn’t add anything. It’s just noise.
@Josh – definitely looking forward to discussing this with you.
@Christian – if Rugged is successful as Agile I will hold up my hands and apologise to everyone for ever doubting it 🙂
SN
Hey SN, I know you talk about Rugged at this point just being a meme, but I think if you look at the Agile Manifesto, when it began it was probably a really similar thing.
As a tangent, saw this interesting post on the Agile Guys sharing their thoughts 10 years later: http://www.pragprog.com/magazines/2011-02/agile—
@securityninja
Rugged is a Value. A characteristic. An Attribute. A Quality. A State.
Rugged in its simplest sense is an affirmative, non-security-executive desirable.
Security is a negative – a Cost/Tax and usually an inhibitor to what a CIO wants.
Rugged encapsulates things like:
Availability
Survivability
Supportability
Longevity
Security*
Scalability
…that the CIO *already* wants.
For your eCommerce, do you want a flimsy Hosting Site? or a Rugged Hosting site?
Communities like OWASP can help developers to affect more Rugged outcomes. Jeff is involved in Rugged.
Rugged is on the overlooked People level more heavily than on the process and tech level.
We have a lot of great tools and technology and frameworks (sure we could use more and better ones). What’s most been lacking is Mainstream awareness and demand for the value of Rugged.
In my 11/12 months, I’ve seen the most traction for Rugged on those buying software. on Demand. If we can drive sufficient Demand, Supply will often follow.
I’m still looking to connect with you 1 on 1.
For now think of Rugged as what people want/need/deserve, and thing like OWASP, Agnitio, etc as ways people can help them to pursue.