Slashdot Mirror

← Back to Stories (view on slashdot.org)

Holding Developers Liable For Bugs

Posted by CmdrTaco on from the you-gotta-be-kidding-me dept.

sebFlyte writes "According to a ZDNet report, Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write. He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system. He was speaking in his capacity as CEO of a security consulting firm at Secure London 2005."

8 of 838 comments (clear)

  1. Sarbanes-Oxley by ihistand · · Score: 3, Informative

    I write financial reporting software for my company. Before anything is installed, even the most minor one-line bug fix, I have to sign a Sarbanes-Oxley statement of compliance. There are criminal consequences for not performing these steps properly. My QA person also has to sign this. My CIO is also held personally responsible, in that he/she could go to jail if something I wrote caused inaccurate financial reports to be released.

    I suspect many people who write software, like myself, are already personally responsible. And so we should.

    1. Re:Sarbanes-Oxley by sadr · · Score: 2, Informative

      But if you've complied with the procedures and a problem still sneaks through, you won't go to jail as I understand it.

      If you intentionally sneak something in that causes the data to be misrepresented, you're liable.

      If you put something in that is defective and didn't follow procedures, you're liable.

      But even the shuttle software, for example, still has the occasional bug even though it is developed under some of the most stringent policies in the world and isn't an overly large application.

  2. Re:CMMI by ShieldW0lf · · Score: 2, Informative

    What he's saying is to sign and distribute your code using your legally registered corporation ABC Inc. and funnel everything out of the corporation into your pocket. That way when they try to sue ABC Inc. for their first born child, you can say "na na na na na, you loser, corporations don't have balls!"

    So to speak.

    --
    -1 Uncomfortable Truth
  3. Collaboration is not a hard requirement. IMO. by Richard+Steiner · · Score: 2, Informative

    Producing good code is a complicated process, not something one person can do.

    There are dozens (if not hundreds) of examples out there of high-quality code being produced by a single standalone programmer, some of them fairly complex applications/utilities, and that is true not only in the DOS/Windows shareware and open source software environments but also in the corporate mainframe environments where I've worked.

    Yes, such folks will generally have other folks to testing over time, but often the concept, design, coding, and initial testing stages are all handled by a single person who has the technical skill, vision, and determination to create the initial solution and whip it into workable shape. Once that basic foundation is in place, feedback from others is solicited.

    A person who doesn't care about quality or who isn't technically adept enough to avoid problems is probably going to produce a bad piece of software in the end regardless of the processes in place unless everyone else in the development chain holds his/her hand.

    A person who is obsessed with clean code and who has a clear vision, on the other hand, can often perform amazing feats with little more than a single PC or terminal, a pizza delivery service, and a few hundred gallons of coffee (or Mountain Dew) at his or her disposal. :-)

    --
    Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
    The Theorem Theorem: If If, Then Then.
  4. OT: Clinton did not lie under oath by brlewis · · Score: 5, Informative

    Under oath, Clinton was given a very specific definition of sexual relations, and according to that definition he didn't have sexual relations with Monica Lewinsky. Where he did lie was to turn around and say the same thing to the American people. We didn't give him any such specific definition, so he should speak our language.

  5. Re:Hey, God by lgw · · Score: 1, Informative

    When grown men and women advocate the story as the literal Word of God then yes, indeed, he needs to be a sarcastic jerk about it. People that stupid *need* public ridicule, so that they serve as a warning to others. Over all, society benefits.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  6. responsible politician ... flying pig by ChristTrekker · · Score: 2, Informative

    Ha! Yeah, that'll happen.

    Political responsibility is limited by the memory span of the constituents. If we've forgotten by the time of the next election, then they're not held responsible. There are several problems contributing to this:

    1. US Senators are no longer elected by state legislatures since the 17th Amendment. Can you remember what you senator did 6 years ago? Heck no. The longer term of the Senate was justified because they were going to be the best of the best, the most capable people, selected by a select group that had already been determined the best of their respective localities. Further, an entire state is too large a district to represent adequately from a populist perspective. Do you really think your senator feels personally accountable to any individual voter? Do you think he'd feel more or less accountable to the few dozen people in your state house? Hmmm, think about it. The 17th was supposed to make the Senate more responsive to the popular will, but it did the opposite. Senate campaigns are some of the most expensive there are. If you think Big Money is influencing politics, then you don't need campaign finance reform (which just limits individuals' freedom to support whom they want), you need to repeal the 17th.
    2. US Representatives likewise serve districts that are much too big. By the original reckoning of the Constitution (1:30k, small enough that you'd have a good chance of having met your Congressman at least), we'd need something like 8000 reps today. That's a bit crazy, but we certainly could have 1000 - easy with modern technology like PA systems, TVs, and computers. Again, make them accountable to a smaller group, so the common person will feel more engaged with the process, and hold the fire to their feet when it comes up on election time. At least they only serve a two-year term, so it's a bit easier to remember if the guy has been doing a lousy job or not.
    3. The (plurality) voting system lends itself to voter disinterest. The voting rate is so low because people feel they can't make a difference - they take it as a foregone conclusion that it's going to be a donkey or an elephant no matter they do. Duverger's Law at work. We need to reform the system so that it supports diversity of political thought at a fundamental level - by giving everyone an equal chance, regardless if they're incumbents or not. Anecdotally, I submit the fact that the voter turnout rate in presidential campaign years declined every year 1960-2000, except for one: 1992. What happened that year? Ross Perot. Like him or hate him, he was a well-known well-publicized alternative that people thought had a chance of winning. He pulled some votes from the disenchanted of the Duopoly, and he pulled in votes from those that were disillusioned of the whole system and would have stayed home otherwise. Anyway, without informed and engaged voters, you're not going to get decent people elected.
    4. Media spin and media hype in a revenue-driven media world. The old media doesn't care about educating people anymore, and exposing corruption. They're in bed with the pols. If you want real reporting, you get it online or from other "non-establishment" sources.

    There are other reasons why politicians' actions are poor.

    1. In many states, members of the legislature are paid only a token wage, so you get underqualified people that are somehow in a position of having the free time to serve (e.g. retired). If the job is going to tie up so much time that he can't support a family by working the rest of the year in the private sector, then you need to compensate him fairly. Better yet would be to limit the role of gov't so you can get that business done in a couple months. Legislative sessions are traditionally in the winter so that you can get home in time for spring planting and the "work season" - but we've made the politicians' job into a full-time role. Unfortunately.
    2. There were some more, but I'm getting too long...
    --

    Constitutionally Correct

  7. Clueless! by wakked1 · · Score: 2, Informative

    That's pretty moronic. Anyone who works in software security (and has a clue) would never put themselves in a position of being personally liable for certifying a piece of software as being "secure".

    Likewise, security consulting companies generally only issue "verifiable statements" regarding the software they evaluate. Such statements can include things like "passwords are not stored in plaintext", or "all network traffic is encrypted with SSL". No company with a clue would risk its business on a blanket guarantee that a piece of software is "secure". That's because there is no way to verify a given application is "secure" in the absolute sense anyway.

    Yet Mr Schmidt expects developers to certify as such. He clearly has no clue. While he's at it he should demand that automotive engineers certify their cars will never break down, and that police be held personally liable for failing to prevent a crime.