![Page 1: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/1.jpg)
Rugged Software Development Joshua Corman, David Rice, Jeff Williams
SANS Application Security Summit
February 5, 2010
![Page 2: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/2.jpg)
EVOLVING
THREAT
EVOLVING
COMPLIANCE
EVOLVING
TECHNOLOGY
EVOLVING
ECONOMICS
EVOLVING
BUSINESS
COST
COMPLEXITY
RISK
Context
![Page 4: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/4.jpg)
![Page 5: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/5.jpg)
“What is missing from software security?”
![Page 6: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/6.jpg)
![Page 7: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/7.jpg)
![Page 8: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/8.jpg)
![Page 9: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/9.jpg)
Secure software is critically important to almost every aspect of life.
© The Economist, January 16, 2010
![Page 10: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/10.jpg)
![Page 11: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/11.jpg)
“A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls…If we stand still for a minute, our adversaries will overtake us.” -William Lynn, U.S. Deputy Secretary of Defense January 2010
![Page 12: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/12.jpg)
CURRENT SOFTWARE
![Page 13: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/13.jpg)
RUGGED SOFTWARE
![Page 14: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/14.jpg)
CURRENT SOFTWARE
![Page 15: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/15.jpg)
RUGGED SOFTWARE
![Page 16: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/16.jpg)
CURRENT SOFTWARE
![Page 17: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/17.jpg)
RUGGED SOFTWARE
![Page 18: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/18.jpg)
…so software not only needs to be…
![Page 19: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/19.jpg)
FAST
![Page 20: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/20.jpg)
AGILE
![Page 21: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/21.jpg)
Are You Rugged?
![Page 22: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/22.jpg)
HARSH
![Page 23: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/23.jpg)
UNFRIENDLY
![Page 24: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/24.jpg)
There is no such thing as “toy” software.
![Page 25: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/25.jpg)
ATTACKER’S INTEREST
Market Share
Software becomes a
target at 3% market share
![Page 26: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/26.jpg)
THE MANIFESTO
![Page 27: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/27.jpg)
I am rugged - and more importantly, my code is rugged.
![Page 28: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/28.jpg)
I recognize that software has become a foundation of our modern world.
![Page 29: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/29.jpg)
I recognize the awesome responsibility that comes with this foundational role.
![Page 30: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/30.jpg)
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed,
and for longer than it was ever intended.
![Page 31: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/31.jpg)
I recognize that my code will be attacked by talented and persistent adversaries who
threaten our physical, economic, and national security.
![Page 32: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/32.jpg)
I recognize these things - and I choose to be rugged.
![Page 33: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/33.jpg)
I am rugged because I refuse to be a source of vulnerability or weakness.
![Page 34: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/34.jpg)
I am rugged because I assure my code will support its mission.
![Page 35: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/35.jpg)
I am rugged because my code can face these challenges and persist in spite of them.
![Page 36: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/36.jpg)
I am rugged, not because it is easy, but because it is necessary… and I am up for the challenge.
![Page 37: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/37.jpg)
![Page 38: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/38.jpg)
WHAT IS RUGGED?
![Page 39: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/39.jpg)
It’s not about style, it’s about the result.
![Page 40: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/40.jpg)
It’s not about external compliance…
![Page 41: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/41.jpg)
![Page 42: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/42.jpg)
The Masses
The Choir
1) Beyond the choir
![Page 43: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/43.jpg)
The Choir
2) Beyond technology
![Page 44: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/44.jpg)
3) Aspirational
![Page 45: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/45.jpg)
The Journey
Aware Informed Selective Mature
![Page 46: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/46.jpg)
GETTING INVOLVED
![Page 47: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/47.jpg)
Folks Who Helped Shape This
• Dan Geer, In-Q-Tel
• Chris Hoff, Cisco
• Chris Wysopal, Veracode
• Scott Crawford, EMA
• Pete Lindstrom, Spire Security
• Andrew Hay
• Tom Kellermann, Core Security
• Will Gragido, Cassandra Security
• Eric Hanselman, LeoStream
• Marisa Fagan, Errata Security
• Anton Chuvakin, Security Warrior
• Joe Jarzombek, DHS
• Barmak Meftah, Fortify
• Nick Selby, Trident Risk Mngt
• David Etue, Fidelis
• Rich Mogull, Securosis
• Adrian Lane, Securosis
• Tim Greene, NetworkWorld
• Dan Guido, NYU: Poly
• Caleb Sima, HP
• Ryan Barnett, Breach Security
• Jack Daniel, Astaro
• Jennifer Jabbusch, CAD, Inc.
![Page 48: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/48.jpg)
Next Steps…
• Charter Members
• Introductions to University CS Programs
• Chair and Co-Chair Working Groups
– Welcome Package: Getting Started
– Business Cases
![Page 49: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/49.jpg)
How to find out more…
![Page 50: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/50.jpg)
http://ruggedsoftware.org
![Page 51: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/51.jpg)
Google Groups
https://groups.google.com/a/owasp.org/group/rugged-software
![Page 52: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/52.jpg)
“What does Rugged mean to you?”
![Page 53: Rugged Software Development - OWASP Foundation · 2010. 2. 5. · Rugged Software Development Joshua Corman, David Rice, Jeff Williams SANS Application Security Summit February 5,](https://reader035.vdocument.in/reader035/viewer/2022071210/6021efdfe2c9d557cd6da5a0/html5/thumbnails/53.jpg)