A lot of folks, including @joshcorman himself, stepped up to help me understand Rugged. Very nice, Lazyweb!
First, let's start with the problem (as I see it)
Software security programs have a poor Raison d'être. This is likely because it's hard to define what "secure software" is. (heck, define "secure") Is secure software?
- Resistant to cross-scripting and SQL injection attack (insert attack du jour)
- 100% OWASP complaint (yes, I have been asked this)
- Have no high vulnerabilities?
- Made with high quality?
Waste of time, right? We all know secure is a sliding scale based on value and risk. You can't arbitrarily define security, which makes it less than useful for talking to executives and business program managers. So how do we frame the conversation in a useful manner? Enter Rugged.
Rugged leap-frogs over all these definitions and points to the qualia we security grognards are jumping up and down about. It brings it down to earth with a clear and sharp image that conveys the essential intrinsic properties of "secure software"
To answer my own questions:
1) How is Rugged different than any other Best Practices?
Well, it's NOT really a best practice… more of a framing technique… or (ulp) a paradigm. I was expecting too much of Rugged to even put it in this category, it's just not that kinda thing. It's just a way to simplify the dynamic and intangible. Of course, we could apply some evidence-based analysis over time to see how effective it is in helping the non-security folks understand us.
2) Convincing the developers to write more secure/stable software isn't my problem. My problem is convincing customers and managers so that they'll let/encourage the programmers to to write more secure code.
Ah, this would be Rugged's sweet spot. Here is a meeting ground for the security team, developers and money spenders to agree on something that is useful and clear. A way to communicate what needs to be asked for, what needs to be done and what the final product looks like.
3) Software security problems are deep and complex.
Actually, digging deep enough into Rugged, this issue is acknowledged. And Rugged doesn't aim to solve these problems directly, but again, it gives us all something we can put hands around when wrestling with them.
4) Rugged appears mysterious and embryonic.
Hopefully we can change that. The more we spread the word (and ask questions), the less confusion we'll see. So I'll light a candle now:
Here's how I would summarize it as guidance from management to the developers.
"If our software is Rugged, it is built to withstand adversity, tolerate anomalies, and always do what we intend it to do. Our customers depend upon this level of unyielding reliability; in fact, they expect nothing less. It is our responsibility to meet these expectations."
How's that sound?