Wednesday, March 30, 2011

What I've learned about Rugged in the past 24 hours

Well, I learned yesterday's post touched something in some people.  Based on the comments I got, both online and offline, I can guess a few of us are confused about what Rugged is about.   Especially those of us who've only read about it, instead of having it explained to us.   And sadly, some of us "saw it and dismissed it" as another security fad. Maybe this post can help fix that.

A lot of folks, including @joshcorman himself, stepped up to help me understand Rugged. Very nice, Lazyweb!

First, let's start with the problem (as I see it)

Software security programs have a poor Raison d'être. This is likely because it's hard to define what "secure software" is.  (heck, define "secure")  Is secure software?
  • Resistant to cross-scripting and SQL injection attack (insert attack du jour)
  • Bug-free?
  • 100% OWASP complaint (yes, I have been asked this)
  • Have no high vulnerabilities?
  • Made with high quality?

Waste of time, right?  We all know secure is a sliding scale based on value and risk.  You can't arbitrarily define security, which makes it less than useful for talking to executives and business program managers.  So how do we frame the conversation in a useful manner?  Enter Rugged.

Rugged leap-frogs over all these definitions and points to the qualia we security grognards are jumping up and down about.  It brings it down to earth with a clear and sharp image that conveys the essential intrinsic properties of "secure software"

To answer my own questions:

1) How is Rugged different than any other Best Practices?
Well, it's NOT really a best practice… more of a framing technique… or (ulp) a paradigm.  I was expecting too much of Rugged to even put it in this category, it's just not that kinda thing.  It's just a way to simplify the dynamic and intangible.  Of course, we could apply some evidence-based analysis over time to see how effective it is in helping the non-security folks understand us.

2) Convincing the developers to write more secure/stable software isn't my problem. My problem is convincing customers and managers so that they'll let/encourage the programmers to to write more secure code.
Ah, this would be Rugged's sweet spot.  Here is a meeting ground for the security team, developers and money spenders to agree on something that is useful and clear.   A way to communicate what needs to be asked for, what needs to be done and what the final product looks like.

3) Software security problems are deep and complex.
Actually, digging deep enough into Rugged, this issue is acknowledged.  And Rugged doesn't aim to solve these problems directly, but again, it gives us all something we can put hands around when wrestling with them.

4) Rugged appears mysterious and embryonic.
Hopefully we can change that.  The more we spread the word (and ask questions), the less confusion we'll see.  So I'll light a candle now:

Here's how I would summarize it as guidance from management to the developers.

"If our software is Rugged, it is built to withstand adversity, tolerate anomalies, and always do what we intend it to do. Our customers depend upon this level of unyielding reliability; in fact, they expect nothing less. It is our responsibility to meet these expectations."

How's that sound?

Tuesday, March 29, 2011

Would someone please explain this Rugged thing to me?

I'm steeped in a huge SSDL project here at work - looking to move security in our development processes to the next level.  Lots of heavy lifting doing evaluation, analysis and reorganizing.  I'll throw in a shameless plug for WhiteHat Security who's helping us a ton.

Now, one of the things that came up in my search to see how to improve things was the Rugged Software movement.   Early on in the process, I foolishly mentioned it to our CTO as something to look at.   Why did I saw this was this foolish? Well, because at the time, I had only a cursory understanding of Rugged.   He went off and dutifully checked into Rugged only to find the bare documents on the website.  Indeed, it was a movement, but apparently not much else.. at least at that stage of the game.  He came back to me confused and wondering why I had brought it up to him.  What was he supposed to do with this Rugged thing?  Oops, I had just wasted some credibility and an important ally's time.   A mistake I wasn't going to repeat.

Well, here we are months later, and I'm afraid I still have only a cursory understand of Rugged.  Apologies to Josh and the other creators of Rugged, but I just don't see anything there worth passing on yet.  Maybe it isn't aimed at our developers? I don't know.  It wasn't clear.  I'll be the first to admit I've not attended any conference talks on Rugged (I admit here, I don't make to many conferences) and I don't attend many webinars or online thingies (they're often hard to follow).  I have googliated a bit and haven't found much beyond a few news articles.  On the other hand, I have found tons of advice and guidance on practical secure development frameworks like BSIMM.

Overall, my big questions / confusions are:

1) How is Rugged different than any other "Best Practice"? 
Is there any evidence yet to show that it improves security?  Can I see it?   Can I share it with management?

2) Convincing the Developers to write more secure/stable software isn't my problem.
Talk to them, as I have, and most of them wouldn't mind writing more secure code.  Some of them even want to write more secure code.  And a certain chunk of them don't know how to write secure code.  I don't see how Rugged solves any of these problems very well.    The root of the problem comes from the fact that secure code still isn't spelled out in the requirements.  Developers can only do what the project manager demands, which is based on what the customer demands.   So if Rugged is aimed at convincing customers to ask for more rugged software, specifically and pointedly asking, then I'll admit it should be preached (but not to me, to my customers).

3) Software security problems are deep and complex.
A lot of security bugs are buried deep in old crufty code or libraries.  Even when all our developers are cracking on all cylinders of secure code dev, we're still excavating for fundamental faults and design flaws.  And when you land in those pits, you're dealing with Expensive Questions - redesign ($$$) or patch-and-move-on.   I need a movement that helps me make those decisions.

4) Rugged appears mysterious and embrionic.
I'm sure it will grow up to be influential and useful, but to be practical to me right now, I need something that's actionable that I can use with my Development team and management.    The story I mentioned in the opening about confusing my CTO cannot be repeated.   And beyond that, my executive team will ask for proof and metrics for any new development movements I propose.   I don't blame them.

So please, help me out here.  I am confused, what am I missing or misunderstanding?

UPDATE - People have stepped up to 'splain it to me (ha, my evil plan worked).  Read what I've learned here.

Tuesday, March 1, 2011

Good pen test reporting resource

I knew there were folks out there who could do a good job at this.   Instead of writing sloppy security reports, here's a positive example of how to do a better job at it by Steve Shead.  He's a security guy and a graphic designer, so no wonder I like his layout for pen test reporting.