Slashdot Mirror


Holding Developers Liable For Bugs

sebFlyte writes "According to a ZDNet report, Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write. He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system. He was speaking in his capacity as CEO of a security consulting firm at Secure London 2005."

8 of 838 comments (clear)

  1. If anyone it should be the managers by metternich · · Score: 5, Interesting

    You need proper code reviews, etc. if you want to find security flaws. The company writting the code should be responsible for organizing such things.

    --
    Facts do not cease to exist because they are ignored.
  2. It's the system, not the individual by coyote-san · · Score: 5, Interesting

    While individuals can make stupid mistakes, the real problem is in the system and managers are ultimately responsible.

    As a simple example, take a web application. The web people believe (reasonably or not) that the form fields will be cleaned up by the backend people. How do they know what's dangerous anyway? The backend people believe (reasonably or not) that the data will be cleaned up by the web people. How do they know the various encoding schemes used, etc.

    Then some **** adds a cross-scripting exploit and compromises sensitive information.

    Who's responsible, the developers or the managers? Even if the developers are paranoid, what about the errors introduced as everyone tries to handle conditions outside of their sphere of knowledge? What about the new security flaws introduced by that?

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  3. Re:Hold Government Leaders personally responsible by Skye16 · · Score: 4, Interesting

    While the parent references Bush, this works both ways. Actually, it works all ways. Delay? To the pit with him. Clinton? An oubliette. (Not for the adultery - I don't think that's illegal in DC - but for the lying under oath ("I did not have sex with that woman" (okay, maybe there's room for debate, as he only got a blowjob, but if a court does find him guilty, THEN to the oubliette)). I'm sure there are some Independents out there guilty of some things. Democrats too.

    Personally, I think if you're in government, and you break the law, you should get double to triple the punishment you normally would. Why? Because you're held to a higher fucking standard, that's why. Don't like it? Don't run for office.

    Not that any of this was really on topic...

  4. Re:Sheesh! by bill_mcgonigle · · Score: 4, Interesting

    I don't know - this could be good for good developers.

    We'd carry "malpractice insurance" the same as a doctor or an engineer who builds a bridge.

    But we'd also develop some backbone. We'd mandate full use-cases, real automated testing, input validation, edge cases - and it would ship when it was ready. Any CEO ramrodding out shoddy software would be in the same position as a CEO at a pharmaceutical company doing the same, subject to having the whistle blown on them.

    Overall, it would serve to elevate the position of software developers to a more professional status, and the salaries would go along with it. There would also probably be stratifications along the lines of architect/engineer/draftsman that we see where this has been done already.

    More significantly it would put up substantial barriers to outsourcing.

    But don't expect Corporate America to allow this to happen without considerable campaign contributions against it. The last thing [name your big abuser of programmers] wants is 'professional' developers (or American developers for a subset of those companies).

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  5. In the end, it's the people who create quality. by Richard+Steiner · · Score: 5, Interesting

    Processes can aid in ensuring consistency, but they aren't strictly necessary.

    I worked as a development/support programmer in a fairly critical application area for a major airline for over ten years, and we had a small tight team of a dozen fairly experienced developers and only a few formal processes in place. The software that was written and loaded in production was generally of very high quality, mainly due to a good culture of informal peer review, testing (involving users and programmers alike), heavy use of a test system to let changes simmer a bit before release, etc., but there really wasn't a formal "metholodogy" in place, just common sense practices that everyone there had agreed to follow.

    For larger groups or in development environmments where software is released in bursts (e.g., a new version is released to external customers every few months) it might make more sense to put more formal processes in place, but when working on a living system that has to change from time to time in a few days (or even hours) I'd rather put my faith in a couple of experienced programmers who know the system and the expectations of the end users.

    --
    Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
    The Theorem Theorem: If If, Then Then.
  6. Re:CMMI by sedyn · · Score: 4, Interesting

    The only way that programmers should be personally resposible for their actions is if they can be directly given the rewards. I don't know how this system would work. All I know is that when you currently sign a EULA it is not with a programmer, it is with a company.

    If we are not directly given rewards, then I'm going to study for an MBA after my CS degree to limit my personal responsibility (paradoxically increasing overall responsibility), and most likely make more money anyway. People (shareholders) in corporations get to legally hide behind "the corporate entity" to shield them from personal finanical litigation, their employees should have the same benefit.

    But I think your doctor example is correct, and would describe much more than you pointed out (for example, we would be forced to become as through as possible, like doctors, which would force us to ensure that employers permit it, which may cause unions or something similar, and I doubt business people want unions, especially in IT. I know there are arguments against that, but think, if fewer people enter the field and those that do are more responsible, then the result is higher paid, and more powerful people that need control of their work)

    --
    Am I open minded towards open source, or closed minded towards closed source?
  7. Re:CMMI by Directrix1 · · Score: 5, Interesting

    Isn't it weird how several people, in almost unison, just suddenly decided: "Hey software developers need to be held liable for bugs in their code." It makes you wonder about their backgrounds (read second paragraph). I'm sure this has nothing to do with open source software developers being financially incapable of being held liable for flaws in software they donated. On the other side, I do agree that closed source (AND ONLY CLOSED SOURCE) software makers should definetely be held liable, as there is no other means of recourse in the event of software failure. Whereas, open source license or not, spells out exactly what it will do, line-for-line, and you can either take it or leave it.

    --
    Occam's razor is the blind faith in the natural selection of least resistance and in universal oversimplification. -- EF
  8. Why stop there by hey! · · Score: 4, Interesting

    You're right, but you don't go far enough.

    The fact is that the supply of competent people in the world is vanishingly small, whether they be programmers, managers, or people whose job it is to procure things. I'm not talking paper qualifications, I'm talking about functional competence: the ability to handle a complex and uncertain situation, and make the right decisions. It's generally found among people like farmers and blacksmiths who know their business because it is part of body of knowledge that has been handed down from time immemorial. Marketers, managers, software engineers and other people engaged in modern professions -- well lets say good ones are rare indeed.

    Furthermore true integrity, the type that makes you do the right thing when it's easy to pretend things are better than they are and leave some other poor bastard holding that bag -- that's even rarer.

    Software, like most other modern products that are intangible or have a significant intangible value components, is a product of the Shambling Juggernaut of Incomptenence and Denial. The SJID, it must be admitted, works far better than it has any business to. People caught up in it interact like atoms of gas, the composite average of which produces a tolerably reliable mediocrity. Occasionally it will miraculously spit out something wonderful, and not unusually it will produce something horrible, but the machine roles on. And what keeps it running is Denial. Incompetence is the common denominator to be sure, but denial is the fuel that drives the machine and the glue that binds it together. Success has a thousand fathers but failure is an orphan. Those who have reason to be glad of this find their most natural home in the SJID.

    Unfortunately for you, dear Slashdot reader, there may be no place for you here, because unlike the marketers, management consultants, CEO, board, procrement agent, and virtually every other party in the software development arena, you left a paper trail of every mistake you made, no matter how small or how minimally contributory to the overall failrue it may be. Blame is supposed to ooze throughout the system so that pain and damage is not felt in any one place, but instead diffuses into a general atomosphere of dissatisfaction and helplessness. But you, dear reader, carry the antibody of Accountability, which can reliably attach to Blame in concentrations as low as 1 PPM.

    And now, they've noticed. Beware.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.