Security, is often either an oversight or an afterthought for most software projects. Most development teams would rather focus on getting more functionality on the table than spend time to evade a possible security breach. In order to help developers realize the importance of rugged software and the path to reach there, Joshua Corman, David Rice and Jeff Williams founded the Rugged Software Manifesto.
Bill Brener suggested that rugged does not mean that it cannot be busted. It means that it is much better than what we had before. This builds a new culture amongst software developers based on toughness and commitment to improve. Bill added that though there are several initiatives to force security into software development like BSIMM -- the Building Security In Maturity Model, Security Development Lifecycle (SDL) etc but rugged is better,
Rugged takes it a step further. The idea is that before the code can be made secure, the developers themselves must be toughened up. Vulnerabilities are the result of human error, and if you change the human attitude, good things will follow. That's the hope, anyway.
Jeremiah Grossman suggested that, in the current software development scenario, developers do not have the incentive to build security into their code. Often the stakeholders would like to spend more on functionality than security and then if there is a security breach then the developer is seldom punished. Jeremiah suggested, that though he does not advocate punishment but something like the Rugged Manifesto promotes peer pressure to feel proud about good work and embarrassed when it is not.
Kelly Jackson Higgins quoted the CTO to make a point in favor of ruggedness,
Chris Wysopal, CTO of Veracode, says developers must be part of the solution to security problems. "Unfortunately, most developers don't know what it means to write secure code, and worse they think they already write secure code if they write high quality code. Software security practitioners have struggled to get past this mindset. Rugged code is a way of breaking through and instilling a mindset that secure code should be a pride-of-ownership issue just as much as elegant, high performing, and high quality code is."
The Rugged Software Manifesto states
- I am rugged and, more importantly, my code is rugged.
- I recognize that software has become a foundation of our modern world.
- I recognize the awesome responsibility that comes with this foundational role.
- I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
- I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
- I recognize these things - and I choose to be rugged.
- I am rugged because I refuse to be a source of vulnerability or weakness.
- I am rugged because I assure my code will support its mission.
- I am rugged because my code can face these challenges and persist in spite of them.
- I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.
Though many people support the effort, not everyone seems to be praising the idea.
Pete McBreen suggested that the Rugged Software Manifesto has to be a parody. Some of the statements are fine but overall it is over the top.
Likewise, Jim Bird suggested that the Rugged Software Manifesto is attempting to duplicate the success of the Agile Manifesto. The latter was a success because it was driven by people like Kent Beck and Ward Cunningham who develop software. For the Rugged Manifesto to succeed, it would need support from the software development community and not just from the application security community. Jim further commented on the lack of activity around the movement. According to him,
I signed up for the Rugged Software forums, blogs, lists and…. Well, there’s the announcement and some trade press coverage. And that Manifesto about ruggedness, and an empty blog and an empty forum. That’s it, that's all I have been able to find so far. So, I guess I was walking too fast. I will wait and see if there is a real opportunity here, a chance for an initiative that speaks to, and for, the software development community, something that has a real chance to succeed.
Reacting to the question of coexistence with Agile, Corman suggested,
"That's a point of hot debate. The hurry-up, put-out-there, iterate attitude of agile could actually lead to even worse security problems. It's a conversation that needs to begin, and we're beginning it."
Andrew Fried, condensed the 10 item manifesto to 3 main thoughts. According to Andrew,
- The software should do what it’s advertised to do.
- The software shouldn’t create a portal into my system via every Chinese and Russian malware package that hits the Internet virtually every minute of every day.
- The software should protect the users from themselves.
Thus, though there is significant amount of money being spent on developing functionality for a software, the focus on making it rugged still needs to gather momentum. Whether the Rugged Software Manifesto can make the developers look in the right direction is yet to be seen but it looks like a start. As Joshua Corman suggested,
Developers write code assuming the only task is to make it perform a function. But that can lead to programs riddled with vulnerabilities that can in turn lead to economic damages, lost data and lost productivity. We have to get to the mass of programmers who simply don't realize their code is being attacked and subverted by talented and persistent adversaries.