Slashdot Mirror

← Back to Stories (view on slashdot.org)

Insecure Code - Vendors or Developers To Blame?

Posted by Zonk on from the i-blame-code-gremlins dept.

Annto Dev writes "Computer security expert, Bruce Schneier feels that vendors are to blame for 'lousy software'. From the article: 'They try to balance the costs of more-secure software--extra developers, fewer features, longer time to market--against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales. The end result is that insecure software is common...' he said. Last week Howard Schmidt, the former White House cybersecurity adviser, argued at a seminar in London that programmers should be held responsible for flaws in code they write."

6 of 284 comments (clear)

  1. How about both? by 8127972 · · Score: 2, Interesting

    Vendors (more specifically, the product managers, sales types, etc.) are under pressure to get proudcts out the door to get sales and keep sharholders happy. That forces developers to limit the amount of time they spend writing quality software so that they can keep the PHB's happy. Net result, crappy insecure software.

    BTW, this topic seems vaugely familiar. Is this a dupe?

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  2. Re:E&O by company or by employee by LaughingCoder · · Score: 2, Interesting

    Large software companies have more in common with factories than they do with law firms or medical practices

    Actually, this is true ... witness outsourcing. When's the last time you saw law firms outsource?

    BTW, how is this going to work if the programmer is a citizen of India? Are US prosecutors going to extradite him or her for inadvertant buffer overflows?

    --
    The more you regulate a company, the worse its products become.
  3. Worse isn't better, it's just 90% don't want it by Nevyn · · Score: 2, Interesting

    This all seems to be a rehash of the "worse is better" meme ... that those damn software programers/companies aren't doing what we want. The only problem is, it's all crack. Almost no customers, even now, are willing to pay more for "quality".

    Yes, I think all other things being equal, people will go towards quality/security ... but it just isn't high on anyones list. Cheap, features, usable ... and maybe quality comes in fourth, maybe.

    And, yes, there are exceptions ... NASA JPL obviously spend huge amounts of money to get quality at the expense of everything else, and I say this having written my own webserver because apache-httpd had too many bugs (which comes with a security guarantee against remote attacks) ... but I'm not expecting people to migrate in droves from apache-httpd, it's got more features. The 90%+ market share have spoken, consistently, and they just don't care about the same things Bruce and I do.

    I have a lot of respect for Bruce, but the companies really are just producing what most people want ... so stop blaming them.

    --
    ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B
  4. Re:E&O by company or by employee by MaceyHW · · Score: 2, Interesting

    I agree 100% that the company, not the individua should be the one holding the bag, but what happens to feelancers? Unless they can pass the liablity on to the customer when they hand over the code (or otherwise shield their personal assests) virtually no-one is going to be sure enough of their work to code outside the protection of a company.

  5. Re:Why not?! by Anonymous Coward · · Score: 2, Interesting

    In no way can they hold me personally responsible. The company I work for makes all kind of sacrifices to win the bid. General quality is what is mostly sacrificed by having ridiculous deadlines and cutting testing time.

    I would love to have luxury of being able to build properly secure solutions and perform extensive system testing, but it's just not possible. The same is true for proper documentation and being pro-active during maintenance contracts.

    The worst part of it all is that the clients have gotten used to both the lower prices and the lower quality. We won't get work if we jack up the prices in order to provide the quality of work we really should be providing.

  6. Re:Errors and Omissions Insurance (GPL V3) by ArsonSmith · · Score: 2, Interesting

    I wonder if they can get around it by claiming the code as the documentation as to what the program does. That way if it does something wrong it is perfectly documented that that is what it is suppose to do. If you don't want it to do that let me know and I (the programmer) can change it. This would be kind of like the Microsoft argument of "it's not a bug it's a feature" except with OS it is a documented feature that is subject to change appon request.

    Closed source applications wouldn't be able to use this loophole.

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.