Results 1 to 6 of 6

Thread: Expert: Hold developers liable for flaws

  1. #1
    Senior Member
    Join Date
    Feb 2003

    Expert: Hold developers liable for flaws

    Software developers should be held personally accountable for the security of the code they write, Howard Schmidt, former White House cybersecurity advisor, said.

    Speaking Tuesday at the SecureLondon 2005 conference, Schmidt, who is now the CEO of R&H Security Consulting, also called for better training for software developers. He said he believes many developers don't have the skills needed to write secure code.

    "In software development, we need to have personal quality assurances from developers that the code they write is secure," said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.

    "They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution. We need individual accountability from developers for end-to-end solutions, so we can go to them and say: 'Is this completely secure?'" Schmidt said.

    Schmidt also referred to a recent survey from Microsoft that found that 64 percent of software developers were not confident they could write secure applications. For him, better training is the way forward.

    "Most university courses traditionally focused on usability, scalability and manageability--not security. Now a lot of universities are focusing on information assurance and security, but traditionally Web application development has been measured in mouse clicks--how to make users click through," Schmidt said.

    Companies that develop software also have a role to play, said Schmidt, by checking that prospective employees have relevant security qualifications before hiring them.

    The British Computer Society agreed that there should be accountability in software development, but argued that companies should be held responsible for the security of the code written by their employees, rather than the employees themselves.

    read the rest here:

  2. #2
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Yeah! Why not! Software is not less than medicines, the producers should hold responsibility for what they produce and present to the public. This would be really great, the producer would think twice before actually selling the software in the market, in the current market the purchaser is actually testing the product and after discovering its weaknesses the producer produce fixes, and if the fault is pricy and cost the business money no one can sue them, at least I did not hear this before!

    For companies annul skill-set review is going to help a lot, like following MOB {Management by Objective} every department puts and objective to work forward, like if they had three flaws in their programs, a good objective is to produce flaw-free programs if they could this would be great, if not, then there is a problem somewhere with someone, then they can seek the problem and then eradicate it.

    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  3. #3
    Join Date
    Jul 2005
    That's like holding lawyers responsible for any flaws in the law.
    In the business world, all developers must have their products finished by yesterday and the testing phase is often overlooked. So is providing proper documentation. If you want to develop software the right way, you will need quite some time to finish it. Unfortunately, the market demands just make this impossible.
    And keep in mind that with huge products like something like an operating system there are perhaps hundreds, even thousands of developers involved in the whole process.

    And what would be the consequences in the open-source community? Well, none, actually. You tend to use that kind of software at your own risk. That's part of the license. It's actually part of commercial software too, up to some level.

    And finally, it's not just the software that causes all those security flaws. Users who use the same password for all their accounts, often easy-to-guess passwords are more of a risk than a software flaw. And of course they forget to apply all the updates. Or make some other faults...

  4. #4
    Join Date
    Apr 2003
    The cited case looks more like an example of flawed project design than anything else. However, placing personal liability on the shoulders of developers/programmers for things like that would just kill the entire industry. The developers may not have had anything to do with the final stage of the project, but Schmidt would make them personally responsible?

    How many coders in this community think they could continue to survive in this industry if every app they produced also produced personal liability exposure? Financial ruin to the seventh generation ... biblical proportions.

    And, what about all that development that has been shipped off-shore, how do you address that?

    Way too simplistic and unrealistic.

  5. #5
    () \/V |\| 3 |) |3\/ |\|3G47|\/3
    Join Date
    Sep 2002
    About Schmidt's background...

    My own educational background is that I have a business administration degree and a graduate degree in organizational management.
    Maybe he'd feel differently if he *was* a developer.


    Go Finland!
    Deviant Gallery

  6. #6
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    We don't hold engineers or line-workers directly responsible for flaws in cars or other equipment -- the company that employs them and is ultimately responsible for the final product, however, is another matter . . . .. Companies that produce substandard products, regardless of the pressures they are under, should be held accountable.

    From 2004 :

    Former Mitsubishi head, execs arrested for covering up defects
    Chris Buell at 9:14 AM

    The former president of Mitsubishi Motors and five other executives for the company have been arrested in Japan for allegedly covering up defects in a truck model that led to a driver's death. Katsuhiko Kawasoe, who resigned in 2000 after the company admitted it had covered up the vehicle defect, is charged with negligence for failing to recall the faulty trucks despite knowledge of the problem. The scandal has led the company to recall more than 1 million vehicles since it was uncovered in 2000. Japanese police arrested seven company executives last month in connection with the investigation. BBC News has more.

    Dithering on this one issue almost brought down the whole company. Granted, in most cases software flaws don't take lives, but they do cost an awful lot of money and time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts