Read Time: 8 minutes

Vulnerable U Community,

Welcome to the latest edition! Today, we're looking back at the decade since some in our industry coined the term “Rugged Software” as a guiding principle for organizations to become more resilient. What’s changed? What’s the same?

Topic of the Week:

Our first edition of the newsletter seems to be generating a lot of conversation on Twitter and LinkedIn. I’ll be sure to revisit some of those concepts soon about CISO Incentives and how we can work to shift our focus among security teams away from “stoplight security.”

But for today we’re going to look at something we spent an awful lot of time talking about in the early 2010s - The Rugged Security movement. Closely related to other mantras like “Shift Left” and “DevSecOps” but I chose Rugged for a reason. It has some guiding principles which align closely to what I’m going for here with the Vulnerable U theme of acknowledging where we are weak and improving our collective resilience. They even have a manifesto!

My favorite line in this manifesto comes to mind for me often: “I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.” - How true is that? How many times have we sat in a discussion about a repo nobody can figure out who owns but is for some reason mission critical? I like to call these “load bearing dependencies” - as in, oh that repo? thats my load bearing repo, I’m not sure what it does but if you remove it everything breaks.

The one that might stand out in the context of this newsletter is “I refuse to be a source of vulnerability or weakness” - and I love to see that the two words are separated. Vulnerability is not weakness. As for the “refusing to be a source of vulnerability” part, we’ll lean into that just being about code.

Where things start to hit right at home for me is right at the top of the Rugged Software website:

Committing to have a rapidly evolving culture. Committing to be resilient. These are key pieces to the puzzle and I have a whole conference talk I’m cooking up about how “Shifting left” has changed our industry since we’ve been preaching it for so long. But lets hit some highlights.

Whats Changed?

• More than ever we’ve recognized the vulnerability of our supply chain. Those bits of code that are used for too long and for purposes beyond original conception. They’ve increasingly been used in very public data breaches. We’re throwing lots of money at these problems now, I’ve yet to see the needle shifting but the culture certainly has.

• The effective security teams are engineering heavy. We’ve shifted left so effectively that in order to be an impactful security team you need to be a developer team yourself. If you’re running security tools and handling developers reports or tickets, you’re not really in the dev lifecycle. (This one bullet is the crux of the talk I’m developing. Its a big topic but I’ll leave it here)

• Some behemoth web frameworks have been released and become more popular such as React, which are much more security conscious from the start. They make it so instead of having to code securely on purpose, you’d have to go out of your way to avoid the built in protections.

  • An actual example from React is in order to code something vulnerable to Cross Site Scripting you’d have to use an element called dangerouslysetinnerhtml, it is reminding you in the name what you’re about to do is dangerous. As opposed to 10+ years ago where the default way was insecure and you had to go out of your way to protect yourself.

Whats stayed the same?

• Our attitudes. The security industry still somehow thinks they’ve got it either all figured out or that they’re 1 vendor implementation away from finally having the toolset to be a real security program. - One part of the Rugged movement was taking ownership, a sister organization called I am the Calvary was all about recognizing the heroes weren’t coming, we needed to be the heroes. I’m not sure we’ve made a whole lot of progress here, but this is anecdotal.

• We’re still reactive. Many times we know what we need to do but it gets deprioritized for the new and shiny thing the org is focusing on. Many teams are operating on shoestring until a breach or some other fire and then its “don’t let a good crisis go to waste” blank check season.

• Our reluctance to admit and discuss vulnerability publicly. I always remembered the following tweet and so I went and found it. Its from 2015. It could be written today (in fact, I Quote Tweeted it this week)

If we’re all only getting breached from sophisticated attacks, where is the average? Is phishing sophisticated? Yes, maybe sometimes. Is an employee being targeted at home sophisticated? Maybe, definitely targeted, but also some pretty simple foundational defenses would stop these things. We just constantly are making decisions between friction added to employees lives and security or privacy.

What if instead of being reactive, or only “admitting defeat” to a sophisticated elite adversary, we embraced that we’re all facing some version of the same issues every day and have a collective need to overcome them.

Elective Reading

Here are some things I’m reading right now and some cliff notes or thoughts:

The whitehouse strategy came out - Here’s the outline:
PILLAR ONE | DEFEND CRITICAL INFRASTRUCTURE
PILLAR TWO | DISRUPT AND DISMANTLE THREAT ACTORS
PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE
PILLAR FOUR | INVEST IN A RESILIENT FUTURE
PILLAR FIVE | FORGE INTERNATIONAL PARTNERSHIPS TO PURSUE SHARED GOALS

• Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.

• Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.

• Enforce phishing-resistant MFA to the greatest extent possible.

“Noname Security was the 27th and final cybersecurity vendor in 2021 to receive a valuation at or above $1 billion, which the API security startup achieved despite emerging from stealth just one year earlier and having less than $5 million in annual sales”

Just the absolute worst that society has to offer here. I already watch a fair amount of ransomware traffic and hate when medical facilities are hit, but this is next level disgusting.

The Power of Vulnerability:

Bug bounty programs - for those unaware, they are initiatives set up by organizations to encourage individuals to report vulnerabilities in their software, networks, or systems. These programs provide incentives, usually monetary rewards that can get very large (6-7 figures), to those who discover and report such vulnerabilities. This approach allows organizations to identify potential weaknesses before they can be exploited by attackers, thereby increasing their security posture.

BUT initially, these bounty programs were met with skepticism and even considered taboo in some circles. The idea of allowing never mind rewarding someone for finding vulnerabilities on YOUR turf? This could’ve been seen as a betrayal of trust, as it implied that the system was not secure in the first place. However, over time, this perception has changed, and bug bounty programs are now seen as part of a gold standard security program.

The power of vulnerability concept can be applied to bug bounty programs to promote shared resilience. Vulnerability looked at a different way, can refer to the willingness to be open and honest about the limitations and weaknesses of a system. By embracing vulnerability, organizations can create a culture of shared responsibility, where everyone is encouraged to take ownership of security and work collaboratively to address vulnerabilities.

Bug bounty programs are a prime example of how vulnerability can be used to promote shared resilience. By acknowledging that their systems may not be perfect and incentivizing others to find vulnerabilities, organizations can create a culture that fosters continuous improvement. This approach not only helps identify potential weaknesses but also helps build trust with customers and stakeholders by demonstrating a commitment to security.

I hope to write more on this in the future but I felt like it was a good highlight for the early days of the theme of Vulnerable U.

Community Spotlight:

I expected to have to bribe someone for the first entry to this section I thought would be nice for our newsletter, but no! One of my oldest friends wrote me with a suggested topic and story. Pete Monahan and I have known each other longer than either of us have been in the industry. He’s also been an avid SCUBA diver for a number of years. It turns out it is a popular hobby among infosec pros (When they aren’t lockpicking or tapping people out on the BJJ mat?) Pete writes in:

I love it. Thanks for the note, Pete. I look forward to exploring this idea further with you and your scuba crew. Embracing the risks and vulnerability of a given moment while you’re not in control of a lot of variables at the mercy of mother nature would be a compelling anecdote to take some lessons from and apply to other areas of our life including our day jobs.

Please write to me and share stories or anecdotes for this section. It goes very well with the theme of being vulnerable together to share stories. I’d especially love to hear about your failures. What is a time you failed? What did you learn? How did it change your life?

Extra Credit:

Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.

Parting Thoughts:

Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.

Stay safe, Matt Johansen
@mattjay