Why Rugged Matters in the Dev, Sec, and Ops Discussion

This week I was able to talk at DevSecOps Singapore. From that talk, I realized something. Well, not really something new, but I found something that I had once known but had forgotten. Rugged. Or, more specifically, why Rugged Software matters.

Rugged Software

Rugged Software is the idea that we can think of security not in terms of the absence of events, but in aspirations of quality. Security is a function of quality and arguably quality is a function of security. They work together, hand-in-hand providing a real, tangible benefit. In the physical world, we intrinsically know this. We buy cars to stay safe, use banks with good defense, and we instrument our homes for protection against intruders.

In software, we somehow lost our way. We made the conversation about whether we were hacked or not. Whether certain events existed or not. This made security a victim of circumstance rather than an effort in engineering. By that I mean we haven’t used value-driven approaches or value-centric language to build security. Instead, it has been commonplace in our industry to achieve compliance or manage risks through legal documents and insurance policies.

Insuring against risk is not the same as engineering for safety. We should not be fooled by this false construct. To this end, I love this quote:

When I first read this several years ago, I was blown away. Collectively as an industry, we have steered the ship down the wrong path of compliance and insurance policies and the like. We did this in the name of security but this completely leaves out security’s role of quality. There is no quality in an insurance policy — there is loss protection, but that is not quality.

Why Rugged Matters

That quality matters and includes security is not a new revelation to most, or at least it shouldn’t feel like a paradigm shift or something radical.

I found this old slide from a presentation I had given several years ago and I included it in the presentation at DevSecOps Singapore. It juxtaposes security and rugged as two propositions and the general perceptions of and ideas behind both.

Security is driven by an absence of events, often costing more resources than desired. Security has a negative attitude towards developers and software engineers. Security is negative, dealing with Fear, Uncertainty, Doubt as the main currencies. Overall, Security is toxic.

Flip that around to Rugged. Rugged seeks to verify quality and give proof to consumers that the software can stand up to the test. Rugged shows benefits to engineering teams and business owners. Rugged deals in positive language, showing known values for strength, reliability, and quality. Overall, Rugged is affirming.

My hope is that by writing this, it will help me reframe my thinking around this and maybe yours as well. Thanks for reading and let me know in the comments on what rugged vs. security means to you.