Reviewers: Arun John Kuruvilla
Helpful links:
Rugged Handbook (Strawman) v7 (pdf)
Rugged Implementation Guide v4 (pdf)
"Rugged" is a frame of mind which is used by organizations to create stable and secure code that anticipates future threats and vulnerabilites. By staying ahead of threats in time, a rugged mindset reduces cost and increases savings for the organization in the long run. Rugged organizations produce rugged applications that is easily maintainable, understandable, and secure. These applications can self analyze, detect attacks, and also respond to events according to their severity.
Software plays an important role in our day to day lives, such as monitor our health, our finances and so on. With the increases reliance on software, it becomes even more paramont that these softwares and applications can take a hit and survive without causing damages to humans. Compared to nature, which incorporates ruggedness, human developed objects are quite fragile. The book provides several examples taken from nature which can be used by software engineering organizations to structure their teams and give rugged output.
The author speaks about drawing parallels from nature when getting rugged. Prairie dogs are good examples of monitoring threats that are faced by an application. Ant colonies demonstrate the benifits of working together. Defenses against common threats should be unified like musk oxen. The various libraries and components used by an application should be controlled similar to how a family of beavers control their environment. Several other parallels are explained in this chapter.
While roles and responsibilities are different for each organization, this chapter tries to understand what these roles perform and how ruggedness can be incorporated into them. These roles might be labelled differently for one organization or might not even exist for another. Several metrics are also provided which helps monitor how well a particuler role is performing with respect to ruggedness.
A rugged executive's role is to express the organizations concerns and to explain its security story. Several steps can be taken towards this direction and are mentioned in this chapter.
The role of a rugged Security analyst and the various scopes of information and insights needed by such a role are mentioned in this sub-chapter.
This subsection mentions some of the points that a rugged architect has to keep in mind while designing a system so that it will meet the expected threats. The architect's role is to set up defenses so that the application stays strong against resent as well as future threats.
The responsibilites of a rugged project manager includes understanding enough of the security architecture and managing the project and team to deliver a rugged application. Several of these responsibilities are mentioned in this sub-section.
Getting rugged eventually boils down to the developer. The developer is the role that implements the entire security architecture and gets data and statistics for other roles to monitor the health of the system. This subsection explains the responsibilities of that role.
This is the role that monitors the application and keeps the application and organization updated against current threats and future ones. The various responsibilities of the rugged tester are explained here.
This chapter gives suggestions on how an organization can get started at being rugged and in turn make thier applications and services also rugged. The suggestions explain how various roles can look into the organization as their whole and make their organization resistant to current as well as future threats.
This chapter talks about the various indicators that a rugged application has that can prove that it is regged. Some of the indicators can also be used by the organization to prove that the applications and software that they produce are rugged. Several scoring criteria that can be used to score an organization or application's security story are mentioned.
the author talks about some of the technlogies that can be used by an organization to becaome rugged. While a rugged mindset does not require the use of any particular set of tools, the author recommends some that he feels will help.
Rugged is often confused with being a new stratergy for organizations. Through this chapter, the author tries to forward the idea of how a rugged mindset fits with the the major tools and trends in application security. Several resources where further information regarding security can be obtained are also mentioned. The author also tries to explain how being compliant with a compliance regime does not equate security.
The author explains how Apple describes a powerful story of their growth and development in an easy to read and meaningful way. Other than a security story which includes lifelines, stratergies and defenses, Apple tells a story about labor and human rights, worker safety and health, among a few others.
The author here gives an exaple of how a security story can be improved. The author also mentions how to indentify security concerns first and then address them in the website to put forward an much more compelling security story.