Three respected security professionals have issued a call for developers to learn and practice secure programming in an effort to reduce the number of exploits directed at applications.
Called the Rugged Manifesto, the document encourages developers to adopt characteristics that will lead them to write more secure applications. The three authors of the manifesto are Josh Corman, an analyst with The 451 Group; David Rice, formerly with the National Security Agency and author of Geekonomics, a book about the real cost of insecure software; and Jeff Williams, the chairman of OWASP, an organisation focused on web application security. The trio announced the project at the SANS Institure AppSec Conferenc in San Francisco Monday.
The problem now, Corman says, is that developers write code assuming the only task is to make it perform a function. But that can lead to programs riddled with vulnerabilities that can in turn lead to economic damages, lost data and lost productivity. "We have to get to the mass of programmers who simply don't realize their code is being attacked and subverted by talented and persistent adversaries," he says.
The three are trying to motivate developers to aspire to rugged ideals and to learn how their code can be more secure. It's a philosophy or value set accompanied by business cases showing why it makes economic sense to write rugged software rather than dealing later with the consequences of vulnerable software.
There are software tools to test applications for vulnerabilities after they are written, but if developers wrote them in the first place with security in mind, there would be fewer to correct and the software landscape overall would be safer, Corman says.
Efforts are underway to reach the same goals, but they consist of people already committed to writing safer code. One of these is the Open Web Application Security Project, which is not at odds with Rugged, Corman notes.
Another existing coding initiative, Agile, promotes software development methodologies keyed toward rapid production of high-quality software. Can Agile and Rugged coexist? "That's a point of hot debate," Corman says. "The hurry-up, put-out-there, iterate attitude of agile could actually lead to even worse security problems. It's a conversation that needs to begin, and we're beginning it."
The Rugged initiative is meant to spread the culture of secure programming to those who are unaware of it, Corman says. Its goal is to "capture the hearts and minds of all programmers," he says.
An early aspiration is to promote the Rugged Manifesto in colleges that teach programming, so that over time the percentage of practicing developers who believe in Rugged principles increases. Rugged wants to focus on people and process, not just technology. "We tend to rush toward technology first," he says.
The Rugged Manifesto strategy is to encourage people to participate rather than force them into it. Rugged is a value set Corman expects people to opt into voluntarily, and that they will be drawn to employ existing toolkits and frameworks.
"When it's a value set, it's self-driven, it's self-regulating," he says. "You're going to get more passionate and engaged participants than a framework that's required by law."