A meme is born.
(I was originally going to title this blog post “plus la meme,” but was worried that I would be the only who found it amusing ...)
It’s clear that we have way too many security problems with software today. You can’t throw an exception without hitting someone who will happily pontificate on how software is crap and we’re all going to die. There are very, very few people who are willing to strike out in a risky direction to do something about it.
Josh Corman is one of those people out there braving the elements. He is in the process of introducing the Rugged Software movement, complete with its own Manifesto, which says in its entirety:
I am rugged - and more importantly, my code is rugged.I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
I recognize these things - and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in spite of them.
I am rugged, not because it is easy, but because it is necessary… and I am up for the challenge.
Now, this is an interesting and vital attempt at social engineering, in the best sense. As a security manager, I’m fully aware that security is not one of the elements included in the concept of software Quality Assurance. It’s not even listed as a Functional Requirement in software requirement specifications. Hardly anyone outside of the security field today would consider an application to be incomplete without security written in. To change this will require a mindshift of extraordinary magnitude. (Insert pop culture reference here.)
Right now, the argument about secure software is pitting security professionals against software developers; in order to get developers to take this seriously, we need to take their focus off of us as their adversary and put it where it belongs: on actual hackers. “Rugged” doesn’t just mean hack-resistant; it means software that can withstand accidental misuse and random, unpredictable stresses. (When describing this requirement to developers in the past, I’ve pointed out use cases and told them that we also need abuse cases.) Bridges are built not only to withstand normal traffic and explosives; they’re also built to withstand the forces of nature, surges in traffic and any other unpredictable performance scenarios. This is what we need to get across to developers.
When he was working on it, Josh called me up to ask whether I thought it was too “macho.” It’s true that “rugged” (meaning “tough,” not “toupéed”) instantly evokes images of Clint Eastwood and very large pickup trucks, but I really don’t see a better way to describe what we need. And frankly, if it will finally get developers to VALIDATE THEIR FRICKIN INPUT, I don’t really care whether it also causes them to want to hold their scrum meetings at Hooters.
Now, this is only a baby meme. I talked to folks at Shmoocon who liked the idea, but felt there wasn’t enough “there” there yet, in terms of having something concrete that they could take back to their IT departments and present. So there’s still a lot of work that needs to be done, but that just means that all of us need to grab our pickaxes and shovels and dig in. If this is something that you feel you can believe in, follow the gourd and keep the movement going!
Posted by shrdlu on Sunday, February 14, 2010
(2) Comments • Permalink •
