Hold Developers Responsible? 1

[BJCooperIT]

This article reports that Howard Schmidt, former White House cybersecurity advisor, said that software developers should be held personally accountable for the security of the code they write.

With all the hackers and brilliant minds out there, chances are, if you can write it, ultimately someone can break it.

Also, if I am hired by a company to develop software to their specifications, then how could I be held responsible for someone else's design?

[sup]Beware of false knowledge; it is more dangerous than ignorance.[/sup][sup] ~George Bernard Shaw[/sup]
Consultant Developer/Analyst Oracle, Forms, Reports & PL/SQL (Windows)
Author and Sole Proprietor of: Emu Products Plus

 

[tazuk]

Interesting article, although his statement smacks a little of media attention gathering (given his recent move to private enterprise).

Presumably Howie (as former White House cybersecurity advisor) will be happy to be held personally responsible for any US government network breaches that occurred during his term of service? Someone should tell Gary McKinnon's lawyers..

TazUk

Blue-screening PCs since 1998

 

[edfair]

Sounds good to me. Might drive some advocates of Q&D software out of the business.

Just because the customer requirement is to input some data, that wouldn't absolve you of the requirement of valid character checking and input limit testing. It might force the strengthening of the contract documents.

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[CajunCenturion]

==> He said he believes many developers don't have the skills needed to write secure code.
That is a very true statement.

Manufacturers have long been held responsible for the products they develop, and flaws in those projects expose the manufacturer to liability and damanges. Why should the manufacturing of software be any different? Engineers have always assumed liability for their designs. Why should software engineering be any different?

But I don't agree with the 'personal' aspect. Just as in those cases, employees are protected by the shield of their respective corporations, and that should also be true for individual developers. The corporation should be held accountable for the products they sell. If you free-lancing, then you're on your own.

However, there are some mitigating factors, such as user modifications to code and maintaining upgrades as addressed in the article, but one that is not brought up is the wilfull and malicious intent of the hacker to break the code. Developers, personal or corporate, should not be held accountable if the break is the result of criminal behavior or intent.

In many ways, it boils down to professionalism. If we, as software developers, want to be viewed as professionals, then we need to accept professional responsibility for what we produce.

--------------
Good Luck
To get the most from your Tek-Tips experience, please read FAQ181-2886
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[zeitghost]

So how many buffer overflow exploits are we up to in the world's favourite graphical interface so far?

Is it dozens or hundreds?

I've kinda lost count in all this excitement...

Do you feel lucky?

I know I don't.

 

[dennisbbb]

The same analogy is to hold Boeing responsible for plane crashes. Bad design causes wing to crack, engine to heat up, or fuselage to break. It's just no way.

I think any hack should be considered an accident. The Eula states clearly that the author is not responsible for any lost or damage to your company.

 

[CajunCenturion]

==> The same analogy is to hold Boeing responsible for plane crashes. Bad design causes wing to crack, engine to heat up, or fuselage to break. It's just no way.
Or center fuels tanks to explode. If the accident is the result of a design flaw, then the manufacturer IS responsible, as was the case for Boeing in TWA 800. General aviation manufacturers in the USA (notably Piper and Beech), are only in business today because a 15-year statute of limitations on product liability was passed into law. That protected these manufacturers from liability issues if the aircraft involved in the accident was at least 15 years old.


--------------
Good Luck
To get the most from your Tek-Tips experience, please read FAQ181-2886
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[Glenn9999]

So how many buffer overflow exploits are we up to in the world's favourite graphical interface so far?

Or in any C++ app. It's insanely easy to write code there with this kind of problem. I doubt, though, that many will care to solve it.

 

[chiph]

It is possible to write perfectly safe software. The problem is - no one wants to pay for it.

Chip H.


____________________________________________________________________
Donate to Katrina relief:

http://s1.amazon.com/paypage/PELYGQVJ8Q7IB/103-6821258-5919825

If you want to get the best response to a question, please read FAQ222-2244 first

 

[zeitghost]

But is it really necessary to keep on making the same stupid mistakes time after time after time...

 

[chiph]

But is it really necessary to keep on making the same stupid mistakes time after time after time...

Until the Vulcan mind-meld is perfected... yes.


Without experienced developers in their office to tell them "don't do that", they'll continue to make the same mistakes. Of course, the experienced people aren't there anymore because they're too expensive, but that's an argument for another thread.

The other thing is that the technology changes so often. I had a coworker implement the Boyer-Moore string searching algorithm in C#. He spent a week working on it. If he'd only known that the .net framework's String.IndexOf() method uses that algorithm internally, he could have saved himself a lot of work, and the company a week's salary. But since he came from a C++ background, and in C++ you have to write this stuff yourself, he didn't expect the new language to have that functionality.

Chip H.


____________________________________________________________________
Donate to Katrina relief:

http://s1.amazon.com/paypage/PELYGQVJ8Q7IB/103-6821258-5919825

If you want to get the best response to a question, please read FAQ222-2244 first

 

[strongm]

>the .net framework's String.IndexOf()

Which of course brings up another issue not mentioned in the article, which is that most developers use libraries, frameworks, etc. provided by 3rd parties ...

 

[Glenn9999]

Yep, we've largely seen the death of the programmer. Most people that call themselves "programmers" are in truth "librarians". The only true know-how they have if they've only seen component rich OOP environments is to stick someone else's tinker-toys together.

Of course, these kinds of people stick out like a sore thumb when they look for "components" to do simple tasks they should be able to code in their sleep.

 

[grande]

Glenn9999,
I'm a co-op student at a very large bank, and I know exactly who you mean. They're the people that are absolutely floored by COBOL and JCL because it doesn't auto-complete, and there's no IntelliSync. I find it rather funny, personally.

Luckily, my school only uses a few "advanced" languages. In fact, the only one we've done so far is VB6.0, and in the last semester we do VB.NET. Mostly, it's been C, C++, COBOL, RPG, and SQL (DB2, Access, and Oracle).

-------------------------
Just call me Captain Awesome.

 

[mluckie1]

I just have a few things to say about this topic. I have been in electronics, mostly telecomunications, since the microprocessor was introduced, I was a bench tech when the 6809 was thought of as revolutionary. I cannot understand how people back then, who were cracking code and wreeking havoc, were made heros and given great jobs for breaking and entering, and vandalism.
Today with the push for VOIP people should stop and realy look at what this "Investment" is going to cost them. A business with no phones or computers would be no business in a short time, and yes someone should be held responsible, including the buyer. If Merck can be held liable for a product that had to meet federal approval before being marketed and was removed when reports showed what could occur, so far 28.5 million but this will increase as time goes on, then why shouldn't software, and hardware, developer's have to be held responsible for the damage they create? I mean how many version of AOL are on some computers? If a version of microsoft windows isn't working right just introduce a whole new version and stop supporting the old. Great economic sense? Who are the real suckers. As the saying goes "Buyer beware".

 

[eyec]

what about Sony?

http://www.washingtonpost.com/wp-dyn/content/article/2005/11/02/AR2005110202362.html

 

[Thadeus]

As to Merck, the FDA approved the drug based on deliberately incomplete information (not all of the clinical trials research, only the good news). So Merck should definitely be liable for withholding crucial results.

As to Sony, I don't understand what the recording industry thinks this will do for them. Most people are not audiophiles... they don't care whether their favorite songs are the first off the master so long as they sound "decent". So long as people are able to plug an external input into a sound card and record in the music, the anti-piracy stuff will do no good. Music pirates won't put the CD into their computer and rip it... they'll just rip it over the digital line-in. The result will be the same in the end: the music industry will need to discover a new business paradigm. The longer they continue to hold out thinking they can outlast the pirates, the less I feel sorry for them. The writing is on the wall, evolve or fade away....

~Thadeus

 

[zeitghost]

Anyone remember the rocket launch that went pear shaped back in the 60s because of a typo in a FORTRAN program controlling attitude?

A misplaced "." changed an integer constant into a floating point constant... and FORTRAN is not exactly strongly typed.

 

[edfair]

Actually the attitude was pretty good until the altitude became a problem.

Sorry, too many hours looking at a screen over the weekend.

How about the people burned by the x-ray machine software where max power was applied if somebody used the reset function during setup?

 

[zeitghost]

Therac 25.

That's one that can really give you the horrors... a fine example of how you can take reliable hardware (in the previous version) & really screw it up with a dollop of software.