Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

Holding Developers Liable For Bugs 838

Posted by CmdrTaco
from the you-gotta-be-kidding-me dept.
sebFlyte writes "According to a ZDNet report, Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write. He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system. He was speaking in his capacity as CEO of a security consulting firm at Secure London 2005."
This discussion has been archived. No new comments can be posted.

Holding Developers Liable For Bugs

Comments Filter:
  • by Agelmar (205181) * on Wednesday October 12, 2005 @09:15AM (#13772940)
    I will admit that I have seen a lot of bad programmers and bad code over the past few years, but let's step back and think about this. Programming jobs are rapidly being sent overseas to India and China. This is not going to create much of an incentive to keep such jobs in the States, nor does it create much of an incentive for people to go into the field. Holding companies accountable, as suggested in the article, might be a slightly better solution, but again it's somewhat complicated when you start trying to hold an overseas company accountable. (It's more doable than holding an overseas individual accountable, but still not a simple task).

    As for the article's last point about CMM environments: It's not at all an indication that software has been developed by quality developers, all it means is that the code was developed using a reasonable development framework. CMM level 3 means that you document your processes, and typically have peer review. Bad peers means peer review is worthless - it does not guarantee good programs. CMM Level 4 involves"quantitative quality goals" by which productivity, quality and performance are to be measured. This is a bit better, but again it's a matter of where the bar is set. CMM Level 5 is about continual improvement, and is extremely strict. I think that CMM Level 5 is the only environment where one can actually be assured of reasonable quality code. I've seen way too much bad code come out of CMM-3 and -4 environments to give them much credit. If you've got great people, then a CMM-3 environment typically produces great results. For -3 and -4, what you put in is what you get out - not guaranteed greatness.
    • by Anonymous Coward on Wednesday October 12, 2005 @09:20AM (#13772990)
      CMM level 5 is no guarantee of quality! I worked in India and interviewed many a developer from CMM level 5 companies who were utterly useless. And this idiot who wants to make developers responsible for poor code - does he also advocate Ford or GM workers should be liable for cars that are easily broken into?
      • by Thud457 (234763) on Wednesday October 12, 2005 @09:32AM (#13773128) Homepage Journal
        1. What about slipshod companies that don't have proper processes in place to test & verify code before they ship it?

        2. What about laissez-fair management that ignores any such processes that are in place so to ship code on some arbitrary market-driven deadline?

        • by AstroDrabb (534369) on Wednesday October 12, 2005 @11:11AM (#13774058)
          I agree 100%. I think all companies should be liable for their products. However, I do not think it should be at the individual employee level. After all, the point of a fictitious entity know as a "corporation" is to remove personal liability. If one employee causes a bad product, well fire that employee. However, in the end it should be the "company" that is liable.

          If Ford has a car with faulty steering that locks and causes me to be in a very bad accident, should Ford be liable? IMO, yes. Should the engineers be personally liable? IMO, no. It is up to Ford and their management to hire competent employees and competent management to make sure those employees put out a safe product.

          Imagine what would happen if people were allowed to sue an individual employee because of a faulty product. The cost of labor for _any_ technical job would go through the roof because those, engineers, developers, machinists, etc would all need to buy personal liability insurance, just like doctors have to. One of the reasons doctors _have_ to charge so much here in the USA is because of insurance costs to protect them against sue-happy lawyers and people. Top surgeons can easily pay $100,000+ a year just for insurance!

          • by fossa (212602) <pat7NO@SPAMgmx.net> on Wednesday October 12, 2005 @12:25PM (#13774744) Journal

            And what if Ford sells you a car that fails to leap to the side to avoid an imminent collision, causing you do get into a very bad accident? And if Ford sells you a car that can drive into a building at 100mph? And if you use your car in some extreme environment that causes the breaks to degrade rapidly? What if the steering only locks after 20 years of use? I think you need to make a distinction between gross negligence and simple physics. Certainly if Ford misrepresents the capabilities of the auto that is different, but one simply cannot expect everything to work perfectly at all times. Life is fatal; everything is a tradeoff of risks, and at the end of the day you've got to watch out for yourself.

            There's also a big difference in that if I drive a faulty car (which there are various regulations against, or at least manufacturers must meet various regulations before they can sell a car), I put you in danger. If I use faulty software, I only put my data in danger (ignoring worms and the like). I'm not really interested in paying more for higher quality becaue you think I should.

            That leaves the question: if my faulty software damages your data becaue it contracted some malware that attacked you (or perhaps it's just faulty somehow), then who is at fault? Should the internet be regulated like roads are? I would like to think "no, certainly not", but who knows. Would regulation even improve things? Highly unlikely I think.

          • by sterno (16320) on Wednesday October 12, 2005 @01:14PM (#13775128) Homepage
            I agree 100%. I think all companies should be liable for their products. However, I do not think it should be at the individual employee level.

            Here's an interesting question. A piece of software that is written to work with Windows has a security flaw in it. The security flaw creates an exploitable condition in Windows such that you can gain total control over the system. Who's fault is it?

            Obviously there was a security flaw in the software that you were using, but then it wouldn't be that critical if Windows handled it's security better. So isn't Windows partially to blame. And what if you set it up in an insecure manner? Isn't that your fault? Or is the developer's fault for not making it more idiot proof.

            Now taking that down to the code inside of a program is just ridiculous. If you've got a team of 10 people (which is small in the grand scheme), each one of them could, individuall write totally secure code. However, come integration time, it turns out that they are opening up holes in eachother's code. So then who's fault is it? What about QA? Shouldn't they have some liability too?

            Finally there's the PHB factor. You could have a group of the best, most security knowledgeable programmers in the world, and they could still screw up due to lack of time and resources. What if the boss tells them to do something that makes the system innately insecure? Who's fault is it then, his for telling them to do it or theirs for not pushing back on the requirement. Not to mention what happens after people have work a few months of 60 hour work weeks trying to get a project done.

            In the end, liability is just a dumb concept in computers. In the end this is one of those places where the invisible hand of the market place is the best correction. Companies that write buggy software routinely will be smacked by the marketplace, by and large. The only exception to that rule is companies like Microsoft who have an effective monopoly. But then that's why we have anti-trust law isn't it?
        • by HTH NE1 (675604) on Wednesday October 12, 2005 @11:32AM (#13774283)
          In the Code of Hammurabi, 18th Century B.C.:

          If a contractor builds a house for a man and does not build it strong enough, and the house which he builds collapses and causes the death of the house owner, than the contractor shall be put to death.

          If it causes the death of the son of the owner, then the son of the contractor shall be put to death.

          This is of particular interest to me as I contribute code to software used to design steel buildings. I would not want to see this code reapplied today to dwellings or programming.
    • CMMI (Score:5, Insightful)

      by pdmoderator (63509) on Wednesday October 12, 2005 @09:21AM (#13773004)
      CMMI doesn't guarantee good practice any more than membership in the Better Business Bureau guarantees good business. But I'd rather work in a shop that has CMMI in place than one that doesn't. It's insurance against the sort of death marches that create slapdash practice, shoddy product, and security holes in the first place.
      • Re:CMMI (Score:5, Insightful)

        by ShieldW0lf (601553) on Wednesday October 12, 2005 @09:34AM (#13773172) Journal
        CMMI doesn't guarantee good practice any more than membership in the Better Business Bureau guarantees good business. But I'd rather work in a shop that has CMMI in place than one that doesn't. It's insurance against the sort of death marches that create slapdash practice, shoddy product, and security holes in the first place.

        That's where this sort of thing leads: insurance.

        If something like this were to happen, there would be an immediate chilling effect on software development, followed by liability insurance policies similar to what doctors have. Software developers would start having this insurance, and then when the end users start making claims, the mighty insurance companies will simultaneously raise their rates and use their financial and political powers to buy laws that cap their liability.

        Developers pay money, insurance companies get money, end users get screwed, politicians and executives get rich. This is called "building economic value".
        • Re:CMMI (Score:5, Interesting)

          by sedyn (880034) on Wednesday October 12, 2005 @10:17AM (#13773607)
          The only way that programmers should be personally resposible for their actions is if they can be directly given the rewards. I don't know how this system would work. All I know is that when you currently sign a EULA it is not with a programmer, it is with a company.

          If we are not directly given rewards, then I'm going to study for an MBA after my CS degree to limit my personal responsibility (paradoxically increasing overall responsibility), and most likely make more money anyway. People (shareholders) in corporations get to legally hide behind "the corporate entity" to shield them from personal finanical litigation, their employees should have the same benefit.

          But I think your doctor example is correct, and would describe much more than you pointed out (for example, we would be forced to become as through as possible, like doctors, which would force us to ensure that employers permit it, which may cause unions or something similar, and I doubt business people want unions, especially in IT. I know there are arguments against that, but think, if fewer people enter the field and those that do are more responsible, then the result is higher paid, and more powerful people that need control of their work)
        • Re:CMMI (Score:3, Insightful)

          by LeonGeeste (917243) *
          Hold on - insurance is actually a good idea. That way, clients get compensated for bad product, and developers pay premiums based on their history. The liability insurance problem with doctors is a problem of the legal system, not with insurance itself. Payments are so widely varying, and probably partially due to jury's emotionalism, but more likely due to the fac that they have nothing to compare it to. If you break a vase for $10,000, they award $10,000 + admin. costs. It's really simple. But peopl
          • Re:CMMI (Score:3, Insightful)

            by dwandy (907337)
            This is only a good idea if you're an insurance company, since they are the only ones guaranteed to make a profit on this.

            developers pay premiums based on their history.

            I don't know how it works where you are, but 'round here people pay car insurance based on how everyone else drives (factors like age, gender etc can play an enormous role in the rate, regardless of the drivers own record)

            The liability insurance problem with doctors is a problem of the legal system, not with insurance itself.

            ...and

        • Re:CMMI (Score:3, Insightful)

          by Kortec (449574)
          I agree that obviously this sort of a development, if you'll excuse the pun, would lead to the need for software malpractice insurance, but this is by no means any sort of solution. It's a decently well documented fact that the malpractice insurance costs for medical insurance are driving many out of the profession. On the anecdotal level, I'm personally aware of people who have stopped doing more risky procedures, root canals in the case I'm thinking of, just to lower their insurance bills so they can stay
    • by rovingeyes (575063) on Wednesday October 12, 2005 @09:29AM (#13773092)
      Holding companies accountable, as suggested in the article, might be a slightly better solution, but again it's somewhat complicated when you start trying to hold an overseas company accountable

      You don't hold overseas companies accountable, its not our job. We hold local companies accountable. They received the money from us. We don't care how they spend it or don't spend it. Normally these companies don't tell you upfront that they are the middle man. If they do that then their accountability is diminished. But in reality most of these companies say they are producing the code, have their licenses and brand name on them. So you just hold them accountable. If a software screws up they pay not the overseas company.

    • by Velox_SwiftFox (57902) on Wednesday October 12, 2005 @09:31AM (#13773105)
      You're leaving out the lower levels. I take it CMM-1 is the level where if the software suddenly causes monkeys to fly out of the butt of the user, that it is perfectly within the specification?
    • by Richard Steiner (1585) <rsteiner@visi.com> on Wednesday October 12, 2005 @09:36AM (#13773192) Homepage Journal
      Processes can aid in ensuring consistency, but they aren't strictly necessary.

      I worked as a development/support programmer in a fairly critical application area for a major airline for over ten years, and we had a small tight team of a dozen fairly experienced developers and only a few formal processes in place. The software that was written and loaded in production was generally of very high quality, mainly due to a good culture of informal peer review, testing (involving users and programmers alike), heavy use of a test system to let changes simmer a bit before release, etc., but there really wasn't a formal "metholodogy" in place, just common sense practices that everyone there had agreed to follow.

      For larger groups or in development environmments where software is released in bursts (e.g., a new version is released to external customers every few months) it might make more sense to put more formal processes in place, but when working on a living system that has to change from time to time in a few days (or even hours) I'd rather put my faith in a couple of experienced programmers who know the system and the expectations of the end users.
  • Hey, God (Score:5, Funny)

    by Anonymous Coward on Wednesday October 12, 2005 @09:16AM (#13772942)
    About this little thing called "the mosquito" which we received as part of Earth v1.0....
  • by muellerr1 (868578) on Wednesday October 12, 2005 @09:16AM (#13772953) Homepage
    Whatever happened to holding the people who exploit vulnerabilities responsible?
    • by pturpin (801430) on Wednesday October 12, 2005 @09:20AM (#13772988)
      Nah, that requires too much effort. It is much easier to find someone whos name is tied to the code.
      • So Long, Gang... (Score:4, Interesting)

        by The Angry Mick (632931) on Wednesday October 12, 2005 @10:38AM (#13773779) Homepage
        Nah, that requires too much effort. It is much easier to find someone whose name is tied to the code.

        Damn. I guess this means the end of Microsoft, and Linux, and FreeBSD, and UNIX (I would say SCO-UNIX, but let's face it, they're gone already), etc. - God knows they've got plenty of names lurking in their code and all have had some sort of vulnerability at some point in time. I guess all that'll be left is OpenBSD, although that one exploit may come back to haunt 'em.

        On another note, I'm curious to see how Mr. Schmidt would lke the liabilities to be addressed. Are we talking say a $5.00 fine for typos, $100.00 for DLL/Library breakage, $1000.00 for a viral vulnerability, and, oh, maybe $1,000,000.00 for a exploit that grants root privileges? Would these penalties be scaled by installed user base so that smaller companies like Bob's Fuzzy Linux won't go bankrupt after the first lawsuit? Or will larger companies be able to buy "vulnerability credits"?

      • Nah, that requires too much effort. It is much easier to find someone whos name is tied to the code.

        That'll teach those coders to put their names at the top of files.

    • by mfifer (660491)
      The two need not be exclusive.

      One slightly contrived example...

      A house has a door lock that's poorly made. A burglar jiggles the handle and it falls off and the door opens. You can bet yer bippy that the lock manufacturer is gonna hear from the homeowner's lawyer(s).
    • by ScentCone (795499) on Wednesday October 12, 2005 @09:33AM (#13773137)
      Whatever happened to holding the people who exploit vulnerabilities responsible?

      That's crazy talk! What are you thinking, man? Next you'll suggest that when I walk down the street with my entire head completely exposed and vulnerable, that somehow the mugger than hits me over the head with a baseball bat may somehow be responsible for the outcome! See how crazy you are?

      Or, when I lock my door and leave my house for the day, and a guy comes along with a sledgehammer and just breaks in anyway - I suppose you think that the person with the sledgehammer is somehow responsible for that? Totally twisted, man.
  • by metternich (888601) on Wednesday October 12, 2005 @09:17AM (#13772958)
    You need proper code reviews, etc. if you want to find security flaws. The company writting the code should be responsible for organizing such things.
    • it's all about money in the end.
      going over the code with few extra eyballs costs - it costs in wages and it costs in _time_.

      also sometimes it's about compromises.. sometimes the things are designed badly in some aspects so that the product is convinient in others.
    • by Proaxiom (544639) on Wednesday October 12, 2005 @09:41AM (#13773242)
      The company writting the code should be responsible for organizing such things.

      You got it right. Producing good code is a complicated process, not something one person can do. You need controls. You need reviews. You need methodical testing.

      Why blame the developer who wrote the buggy code, and not the tester who missed the bug? What about the designer who produces a complicated bug-prone design?

      Good software is a collaborative effort. You need a lot of people who know what they're doing working within a good process. Singling one person out in the system is misguided.

      • Producing good code is a complicated process, not something one person can do.

        There are dozens (if not hundreds) of examples out there of high-quality code being produced by a single standalone programmer, some of them fairly complex applications/utilities, and that is true not only in the DOS/Windows shareware and open source software environments but also in the corporate mainframe environments where I've worked.

        Yes, such folks will generally have other folks to testing over time, but often the concept, d
      • by willCode4Beer.com (783783) on Wednesday October 12, 2005 @10:44AM (#13773827) Homepage Journal
        Lets not forget that nobody has really figured how to manage software development while the demands of software keep going up.

        Microsoft (in days of old) was criticized for raiding the top developers from other companies and universities. So with the top developers in the world we got Windows, Office and IE. (I don't think there is a need to say what people think of the quality here.) Google, now is the one raiding the top coders yet, they are still producing some buggy code.

        If the best in the business can't produce secure bug-free software, how is anybody else? Granted, we should all strive to make the most secure and bug-free code possible. But, I really don't think it will be a common practice until the management of the process is figured out.
        We've seen waterfall fail, over and over and over and over ....
        RUP, while an improvement, still falls short.
        Agile (XP, etc...) tries to address some realities of development but, it still doesn't really manage it.

        Still, we do see some really good software pop onto the scene every once and a while. Even this is a symptom. The same groups who produce these gems often fail to repeat the process on other projects.
    • You also need properly trained personnel who can spot security flaws in code. Those are typically expensive and harder to hire than your average coder or QA person. If said company is only willing to pay an "average" salary, they will get exactly what they pay for.
  • Sheesh! (Score:5, Insightful)

    by MeBadMagic (619592) <mtpenguin.gmail@com> on Wednesday October 12, 2005 @09:18AM (#13772967)
    Remind me not to work for this guy.....

    Why not make CEO's personally liable for not putting the code through proper QC channels and selling it over-promised.

    Made to sell, not to use? Who's fault is that?

    B-)
    • Re:Sheesh! (Score:5, Interesting)

      by bill_mcgonigle (4333) * on Wednesday October 12, 2005 @09:36AM (#13773189) Homepage Journal
      I don't know - this could be good for good developers.

      We'd carry "malpractice insurance" the same as a doctor or an engineer who builds a bridge.

      But we'd also develop some backbone. We'd mandate full use-cases, real automated testing, input validation, edge cases - and it would ship when it was ready. Any CEO ramrodding out shoddy software would be in the same position as a CEO at a pharmaceutical company doing the same, subject to having the whistle blown on them.

      Overall, it would serve to elevate the position of software developers to a more professional status, and the salaries would go along with it. There would also probably be stratifications along the lines of architect/engineer/draftsman that we see where this has been done already.

      More significantly it would put up substantial barriers to outsourcing.

      But don't expect Corporate America to allow this to happen without considerable campaign contributions against it. The last thing [name your big abuser of programmers] wants is 'professional' developers (or American developers for a subset of those companies).
      • Re:Sheesh! (Score:5, Insightful)

        by arkanes (521690) <{moc.liamg} {ta} {senakra}> on Wednesday October 12, 2005 @10:12AM (#13773554) Homepage
        Unfortunately, it'd also completely destroy the very strong non-professional softare development community. Not just OSS either, but shareware, hobbyists, even personal development. The tools required to do software development, like a compiler, would be enormously more expensive. So the question is whether the cover of professionalism is worth the impact of essentially destroying the amateur community, and whether the economic gain of (maybe) better software is worth the massively increased price of software development, the essential extinction of low-price shareware, and the loss of the freedoms that OSS provides, notably the push to open standards that OSS drives. We would eventually have a "big 3" (or maybe 5 or 6) of software development, just as we do with automobile manufacturers, to the detriment of the consumer.
        • All good points - I guess it comes down to a societal decision. With cars we've decided to only let certified cars on the roads. You can drive anything you want on your own race track.

          We might make a similar decision on the publically-routed Internet, and draw the distinction there.

          There is a process for getting a home-built car certified as street-legal. OSS software could do the same. It might look like a network-proxy or object broker such that each OSS project didn't need to develop its own network
      • I would agree that this could possibly be good for developers. I've done things quick-and-dirty, against my better judgement, and with flaws that I personally would have preferred to remove many a time because management wants it done fast and just barely meeting the contract specs, and bugs can always be fixed "in the support phase."

        That said, programmers would start having to behave like Engineers, and I'm not sure they're all ready for it. It would be a rocky transition for the industry. I don't think
      • money (Score:5, Insightful)

        by willCode4Beer.com (783783) on Wednesday October 12, 2005 @11:00AM (#13773970) Homepage Journal
        And who is going to pay for this?

        We create a "secure" web browser but, its gonna cost $10K per copy. This will cover the cost of developemnet, security auditing, extra QA, and the dev cycles that go along with it. Since, the OS can't be trusted to run the browser, it will only work on a dedicated browsing computer with no operating system. Since other peoples code poses a risk, it will not run javascript, java, flash, or any kind of plugin.
        Who would buy this?

        If developers are carrying malpractice insurance, then the insurance companies are going to have a lot to say about how development is done, and *if* it should be done. Your boss hands you a project specification, you send a copy to your insurance co. You then tell your boss that you can't work on his project because you won't be covered.

        Developers are going to have to charge a lot more for their services. Both for the personal risk involved and to cover the cost of insurance.

        Programs can be made "more" secure and have "fewer" bugs but, its going to take more time. Time=money. Look how eveybody is whining that Microsoft is taking too long for the next version of windows. Maybe if they want it to be *secure and bug free* they'll tell MS not to rush; to take a few extra years to be sure about the product; and they'll pay more for it.
  • by HeaththeGreat (708430) <hborders@mail.win.org> on Wednesday October 12, 2005 @09:18AM (#13772969)
    That proposal sounds fine, but then we should hold government leaders personally responsible for wrongdoings of government.

    I'd love to see the some jail time or a fine for Mike Brown after Katrina, or how about some jail time for Bush after the false pretences of Iraq?
    • by Skye16 (685048) on Wednesday October 12, 2005 @09:30AM (#13773102)
      While the parent references Bush, this works both ways. Actually, it works all ways. Delay? To the pit with him. Clinton? An oubliette. (Not for the adultery - I don't think that's illegal in DC - but for the lying under oath ("I did not have sex with that woman" (okay, maybe there's room for debate, as he only got a blowjob, but if a court does find him guilty, THEN to the oubliette)). I'm sure there are some Independents out there guilty of some things. Democrats too.

      Personally, I think if you're in government, and you break the law, you should get double to triple the punishment you normally would. Why? Because you're held to a higher fucking standard, that's why. Don't like it? Don't run for office.

      Not that any of this was really on topic...
    • > That proposal sounds fine, but then we should hold government leaders personally responsible for wrongdoings of government.

      My solution is, at the end of a politician's term hold an election where the only two options are:
      • grant him another term
      • send him to prison
      Maybe that would help guide their behavior.

      OTOH, shouldn't the voters who put a bad man in office go to prison for it?
    • That proposal sounds fine, but then we should hold government leaders personally responsible for wrongdoings of government.

      Just to put something valuable to your offtopic rant (FTFArticle):

      Schmidt also referred to a recent survey from Microsoft which found that 64 percent of software developers were not confident they could write secure applications. For him, better training is the way forward.

      I think one of the key issues of non secure software are the tools that are available to develop them. By that I m
  • by Anonymous Coward on Wednesday October 12, 2005 @09:18AM (#13772971)
    Want me to pay 10x more attention when I code?

    Pay me 10x more. And don't be in such a hurry for your product to get completed.
  • Not coders fault (Score:5, Insightful)

    by Quasar1999 (520073) on Wednesday October 12, 2005 @09:19AM (#13772979) Journal
    It's usually poor management that forces the product to be out the door 6 months before it's ready. Either keep your job and release a buggy product or stick to your guns and get fired. I think it should be the company, not the individual developer held accountable. How the company handles things internally is up to them.
    • Why stop there (Score:5, Interesting)

      by hey! (33014) on Wednesday October 12, 2005 @10:35AM (#13773749) Homepage Journal
      You're right, but you don't go far enough.

      The fact is that the supply of competent people in the world is vanishingly small, whether they be programmers, managers, or people whose job it is to procure things. I'm not talking paper qualifications, I'm talking about functional competence: the ability to handle a complex and uncertain situation, and make the right decisions. It's generally found among people like farmers and blacksmiths who know their business because it is part of body of knowledge that has been handed down from time immemorial. Marketers, managers, software engineers and other people engaged in modern professions -- well lets say good ones are rare indeed.

      Furthermore true integrity, the type that makes you do the right thing when it's easy to pretend things are better than they are and leave some other poor bastard holding that bag -- that's even rarer.

      Software, like most other modern products that are intangible or have a significant intangible value components, is a product of the Shambling Juggernaut of Incomptenence and Denial. The SJID, it must be admitted, works far better than it has any business to. People caught up in it interact like atoms of gas, the composite average of which produces a tolerably reliable mediocrity. Occasionally it will miraculously spit out something wonderful, and not unusually it will produce something horrible, but the machine roles on. And what keeps it running is Denial. Incompetence is the common denominator to be sure, but denial is the fuel that drives the machine and the glue that binds it together. Success has a thousand fathers but failure is an orphan. Those who have reason to be glad of this find their most natural home in the SJID.

      Unfortunately for you, dear Slashdot reader, there may be no place for you here, because unlike the marketers, management consultants, CEO, board, procrement agent, and virtually every other party in the software development arena, you left a paper trail of every mistake you made, no matter how small or how minimally contributory to the overall failrue it may be. Blame is supposed to ooze throughout the system so that pain and damage is not felt in any one place, but instead diffuses into a general atomosphere of dissatisfaction and helplessness. But you, dear reader, carry the antibody of Accountability, which can reliably attach to Blame in concentrations as low as 1 PPM.

      And now, they've noticed. Beware.
  • Right. (Score:5, Insightful)

    by Bozdune (68800) on Wednesday October 12, 2005 @09:19AM (#13772980)
    Sure, let's sue the pants off anyone who does anything wrong. Let's make it impossible for anyone to create anything new or different. Cradle-to-grave protection, ensured by armies of well-intentioned and socially-responsible attorneys -- that's the sure way to economic success!

    • Re:Right. (Score:3, Funny)

      by xtracto (837672)
      Obligatory simpons quote:

      Lionel Hutz
      "Can you imagine a world without lawyers? (Then he imagines everybody holding hands, dancing together, and shudders)"
    • Re:Right. (Score:3, Funny)

      by hackstraw (262471) *
      Sure, let's sue the pants off anyone who does anything wrong. Let's make it impossible for anyone to create anything new or different. Cradle-to-grave protection, ensured by armies of well-intentioned and socially-responsible attorneys -- that's the sure way to economic success!

      Better watch out, I have a patent pending on such a thing right now. Anybody with such a plan will have to license it from me!
  • nonsense (Score:5, Insightful)

    by moz25 (262020) on Wednesday October 12, 2005 @09:21AM (#13772997) Homepage
    While I agree that accountability is a good thing, liability without major restrictions seems like a dangerous thing. I am a software developer myself and I give my clients the guarantee that all bugs they discover within 6 months will be removed free of charge. Since I have no knowledge of how much losses they will claim as a result from even trivial bugs (yes, some clients are greedy), accepting liability is not something I'm going to do.
  • Oh, yeah (Score:3, Insightful)

    by ceeam (39911) on Wednesday October 12, 2005 @09:21AM (#13773000)
    You can as well ban "software development" as a trade. After all - WTF? You get what you pay for. I say that your average "in-house" enterprise software system has complexity no less than Toyota Camry or something. The difference being that software would be developed by 1-10 men during a year or two whereas any other _industrial_ design costs (both in $$$ and "man/hours") much, much, much bigger. But who cares? Get back to coding, you idiots!
  • by killproc (518431) on Wednesday October 12, 2005 @09:22AM (#13773007)

    I am currently the Development Lead / System Architect at my company. In my experience, the majority of "issues" and or "bugs" that I have seen crop up have been directly tied to poor requirements gathering by our "Business Analysts".

    Often, it turns into a real pissing contest between the two groups. Usually, after testing reveals that the grand vision of the BA is a crock we will usually revert back to the original recommendation of the development group.

    Yeah, let's blame the developers for the problems. That's the ticket.
  • Says it all (Score:3, Funny)

    by ackthpt (218170) * on Wednesday October 12, 2005 @09:22AM (#13773010) Homepage Journal
    ex-White House cybersecurity advisor

    I didn't catch the ex- part the first look and thought "whaaaat?" as I know the current White House occupation force is very Microsoft Friendly and would never endorse such sentiments.

  • by Jaeph (710098) on Wednesday October 12, 2005 @09:22AM (#13773017)
    It's not always a question of the coder, and a bug is not always a bug. In the example in the article, for all we know the specification called for a plain-text transfer, and the coder did exactly right.

    So we'll have yet more wrangling over specifications, more walls between users and developers, and more CYA behavior. That'll be fun.

    -Jeff
  • by JemalCole (222845) on Wednesday October 12, 2005 @09:23AM (#13773019) Homepage

    He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system.

    You know, I don't think it's entirely his fault that he's an idiot: I blame the education system.

  • by coyote-san (38515) on Wednesday October 12, 2005 @09:24AM (#13773039)
    While individuals can make stupid mistakes, the real problem is in the system and managers are ultimately responsible.

    As a simple example, take a web application. The web people believe (reasonably or not) that the form fields will be cleaned up by the backend people. How do they know what's dangerous anyway? The backend people believe (reasonably or not) that the data will be cleaned up by the web people. How do they know the various encoding schemes used, etc.

    Then some **** adds a cross-scripting exploit and compromises sensitive information.

    Who's responsible, the developers or the managers? Even if the developers are paranoid, what about the errors introduced as everyone tries to handle conditions outside of their sphere of knowledge? What about the new security flaws introduced by that?
  • OSS Projects? (Score:3, Interesting)

    by psyon1 (572136) on Wednesday October 12, 2005 @09:25AM (#13773049) Homepage
    How would this affect OSS projects? Would the development community be liable for damages caused by bugs in software? I have seen alot of free software that comes with a disclaimer waving all responsibility of the author, would that still hold up?
  • by 91degrees (207121) on Wednesday October 12, 2005 @09:25AM (#13773051) Journal
    Hold the vendors responsible. They are responsible for 100% of all problems that are not the fault of the customer.

    The vendor then holds the devloper responsible. They are responsible for 100% of all vendor bugs that are not the responsibility of the vendor.

    The developer then holds the programmer responsible. He or she is responsible for 100% of all developer bugs that are not the responsibility of the developer.

    It's the way it works everywhere else. If you have a faulty product, you take it back to the shop. They then take it back to the manufacturer and if it's a fault caused by a specific individual, they either sack him or train him properly. The purchaser would generally not sue the guy on the production line or the designer, even if it was their fault.

    There are good reasons for doing things this way. It preents people from passing the buck. It means each entity along the line is wholly responsible for ensuring quality.
    • Actually, you're not far off the mark here.

      In any company, there is one person and one person alone who's responsible for the defective product -- the CEO. If payroll isn't met on time, that's the CEO's fault. If someone gets mugged out in the parking lot because there wasn't adequate lighting or your building security was nonexistant, that's the CEO's fault. If there's no toilet paper in the bathroom, that's the CEO's fault. If the company fails to meet its sales expectations, whether it's because

  • Liable for what? (Score:4, Insightful)

    by mccalli (323026) on Wednesday October 12, 2005 @09:26AM (#13773057) Homepage
    For bugs in the code you write? For bugs in the compiler which compiled it? For bugs in the operating system which ran the code? For bugs in the design of processor which executed it? For impurities in the particular processor the code was run with which caused it to malfunction at a certain clock speed?

    Nonsense.

    Cheers,
    Ian

  • He can't afford it (Score:5, Insightful)

    by samjam (256347) on Wednesday October 12, 2005 @09:26AM (#13773059) Homepage Journal
    Few people on this planet can afford software developed to such a standard.

    There will always be a market for "cheaper" software that is not guaranteed to such a level, and with support contacts instead, where developers will try a moderate ammount to fix problems as they arise.

    From another perspective, the market is demanding of cheap software - not good software, which is why there is so much of it.

    Sam

  • Full of "Schmidt" (Score:5, Insightful)

    by guitaristx (791223) on Wednesday October 12, 2005 @09:33AM (#13773147) Journal
    This is absolute bunk! Most often, programmers would have a 5-10% stake in responsibility when compared with the mountainous bureaucracy above them. Consider how often a non-technical exec overseeing a software development project will agree to a contract that is nigh impossible to complete on-time. The customer holding that contract begins squeezing testicles, placing pressure (by extension, through the bureaucracy) on the entire development process. The exec says, "You mean there isn't a programmer writing or debugging code this very instant!? What a crime! You're not doing your jobs properly!" The truth of the matter is that ~30% of the project timeline should be research and design. Without a good design, and resources on-hand, bugs creep in. It is impossible to test quality into software, it must be designed in.

    Programmers don't draft contracts, they don't set deadlines, they don't make budget decisions, and certainly aren't responsible for failing to keep bugs out of a system that was (due to poor decision making in the aforementioned areas) designed to have bugs.
  • by LexNaturalis (895838) on Wednesday October 12, 2005 @09:34AM (#13773160)
    I think I agree with the British Computing society moreso than with Mr. Schmidt. I think coders should be held responsible, within a company, for poor code that they write, but overall the company should be held liable for bad code that it ships. If a company fails to have proper QC, then it's the company's fault, not the fault of a lone coder who might have written an insecure subroutine. Most companies don't have single coders, and rarely is there a single coder who has full (100%) knowledge of the other 10,000,000 lines of code in the product. I think proper education, as stated in TFA, is a better idea. Why not send the employee to a security class if the coder continually writes insecure code? That'd solve the responsibility issue and the education issue. Then, the company would produce more solid code and everyone wins; especially the consumer.
  • Sarbanes-Oxley (Score:3, Informative)

    by ihistand (170799) * on Wednesday October 12, 2005 @09:34AM (#13773164)
    I write financial reporting software for my company. Before anything is installed, even the most minor one-line bug fix, I have to sign a Sarbanes-Oxley statement of compliance. There are criminal consequences for not performing these steps properly. My QA person also has to sign this. My CIO is also held personally responsible, in that he/she could go to jail if something I wrote caused inaccurate financial reports to be released.

    I suspect many people who write software, like myself, are already personally responsible. And so we should.
  • Profession (Score:5, Insightful)

    by archeopterix (594938) * on Wednesday October 12, 2005 @09:43AM (#13773261) Journal
    Merely holding developers accountable won't do anything without big, big changes in the software industry. Look at people who are personally accountable for their fuckups - medicine doctors. There are several distinct things about them:

    1. You cannot become a doctor without long theoretical and practical training, intermixed with hard exams. All this is heavily regulated. To become a coder, you just have to pass a job interview. Software engineering certifications are optional and generally regarded worthless.

    2. Doctors are insured against malpractice. The costs are high, and generally passed on to patients.

    3. Doctors can choose not to operate (administer drugs, etc.), if the action constitutes malpractice. In software industry it's "use this braindead tool, or get fired".

    4. Malpractice. Ok, today's revolutionary therapy, maybe tomorrow's malpractice (or vice versa), and experts might disagree about some practices, but there is some sort of general agreement on what constitutes malpractice. I'm not sure whether IT is mature enough to speak of "malpractice" here.

    To sum it up: yeah, you can make developers liable for their mistakes, but the consequences would be huge. The costs of IT would skyrocket. Are you ready to pay for that?

  • by jellomizer (103300) * on Wednesday October 12, 2005 @09:48AM (#13773318)
    1. We can pass the blame to any bugs in libraries or other peoples code that we use to them or if there is a bug in the operating system, because we followed the specs of the 3rd party tool but the 3rd party tool is not working up to specs.

    2. We get paid for the full development cycle, and no pressure to get it done on time, or even close.

    3. If the Specs for the application never changes from the writen specs of the application before it is written.

    4. We are not responcible for any flaws that happen in old versions when there is a newer version out there.

    5. The Latest version of the Application is younger then 3 months.

    6. The application went threw full debugging and testing for 2 years with at least 10 people per line of code.

    7. The application doesn't try to keep compatibility with an older system.

    8. Is used on hardware the specs were approved in and were created before the release of the application.

    9. And if the developer wants to support it.

    When developing a Car or builing a house, there is a lot more prework that goes in they know what they want and how it works before they build it. Programming right now is not setup like that because it is to expensive for a single application or a custom application. Plus it will make more people decide not to be a programmer if they are responcible for every code they ever wrote.
    • 2. We get paid for the full development cycle, and no pressure to get it done on time, or even close.

      Get real! No pressure to get it done on time? What other engineering discipline would this be acceptable in? None. "Sorry sir, your bridge is not built yet - but we don't feel pressured to complete it in the timeframe we said we could do it in".

      3. If the Specs for the application never changes from the writen specs of the application before it is written.

      The world changes. Deal with it. Or be unemploy

    • by Sycraft-fu (314770) on Wednesday October 12, 2005 @12:01PM (#13774559)
      My car is buggy, very buggy by software standards. Here's a list of just a few of it's bugs:

      1) It is not resiliant to attacks. If someone wants to break in and steal it, it's very easy to do. Trivially easy to someone with training. The manufacturer has done NOTHING to fix this. In fact, all suggested solutions are just bandaids, they don't really do anything. Stronger glass, a kill switch, the Club, all are easily defeatable. They offer me no absolute security against attacks.

      2) My car does not deal with user error very well. If I put it in neutral and floor it, the engine will overheat and seize up, no cut out. If I poot toothpaste in the oil tank instead of oil I'll ruin the engine. There is virtually no protection against me making mistakes, and many of the mistakes will permenatnly disable the car.

      3) My car doesn't handle unexpected situations well. If it suddenly hits a brick wall, it will be damaged or destoryed, same if another driver suddenly collides with me. It only operates properly under normal circumstances.

      What's worse? They KNEW about all these problems from the car's inception. They sold it to me, knowing these problems, and are doing NOTHING to fix them! Even upgrading to a newer version of my car (for which I must pay full price) won't fix them.

      So I feel it absurd to attempt to say "We have to hold software to the same standard as cars" and by that mean that software should be perfect. Cars aren't perfect, by software standards they are buggy peices of shit. I expect that software should be essentially immune to any malicious attacks. If a flaw is found, I expect it fixed in a timely fashion for no charge. Likewise, I expect software to deal with user error well and not blow up if I do something wrong. However if I told you I wanted a car that did all that, I'd be laughed at.
  • by KWTm (808824) on Wednesday October 12, 2005 @09:50AM (#13773340) Journal
    My first reaction was: I wonder which lobbyist of a Large Software Company helped put this one through?

    The programmer is personally liable, but the big corporation who employs him/her profits from the work? Wasn't the whole point of creating a corporation to put a degree of separation into liability?

    Also, even if A Large Software Company promised to protect their own employees (some liability insurance as part of the benefit, say), this would still be bad news because it discourages independent programmers and coerces everyone into joining A Big Corp.

    A better idea would be to make it optional, like certification by a licensed Software Engineer. Just like, for example, how you could build your own toolshed with wood and hammer, but to build a house, you have to get a Licensed Inspector or be a Licensed Civil Engineer or something. (Details fuzzy, but you get the idea.)

    Okay, now to go RTFA.
  • by uqbar (102695) on Wednesday October 12, 2005 @09:51AM (#13773353)
    Rather than deal with the problems that lead to insecure code (usually management based) most companies will take out insurance. And this has worked so well for Medicine...
  • Accountability (Score:3, Interesting)

    by plopez (54068) on Wednesday October 12, 2005 @10:07AM (#13773506) Journal
    Is the sign of a profession as opposed to a trade or a craft. If we want software 'engineering' to become a true discipline we need to hold software 'engineers' accountable. In every other engineering profession insurance for errors and ommisions is required to practice, basically malpractice insurance. Even contractors, plumbers and electricians often must be licensed and/or post bond. Why not programmers?

    Any company reselling software in the US developed overseas would carry the liability and there by apply the same rules to overseas programmers (e.g. an offshored CPA must still pass a CPA exam or selling that person's services as a CPA is fraud).

    In addition, development of and adhesion to best practices would have to then be done by companies or they would never get SE's to work for them. The liability issues would be too great, and this would force companies to actually develop best practices and processes.

    It would make sense to do this.
    • Re:Accountability (Score:3, Interesting)

      by ctid (449118)

      Is the sign of a profession as opposed to a trade or a craft. If we want software 'engineering' to become a true discipline we need to hold software 'engineers' accountable. In every other engineering profession insurance for errors and ommisions is required to practice, basically malpractice insurance. Even contractors, plumbers and electricians often must be licensed and/or post bond. Why not programmers?

      Think about what you're asking here. If I'm a plumber and I fix your toilet and it leaks, then I (or

  • Contempt. (Score:5, Insightful)

    by CDPatten (907182) on Wednesday October 12, 2005 @10:17AM (#13773600) Homepage
    Programmers are not a parallel to automotive makers; they are a parallel to Authors, Book writers. Can you think of anything more absurd then suing an Author of a book over typos? Or the reviewer of that book who says "this is the best book of the year" and you thought it was the third best?

    This is the same reason patents on software are ridiculous, can you patent a love story plot? It's just absurd. This is another example of our society's run-away liberal government mentality. Big government stifles creativity, freedom, and crushes capitalism.

    A case like this should be thrown out of court as a frivolous lawsuit and the lawyer held in contempt, but we won't get that from activist judges.
  • by jnaujok (804613) on Wednesday October 12, 2005 @11:08AM (#13774032) Homepage Journal
    As the only comparable occupation where one is held liable for every action, this would put me in the same category as a medical doctor. That means:

    • My salaray immediately jumps to the $500 to $1000 per hour range
    • The number of people willing to code drops close to zero
    • I carry "Security-Flaw Insurance" to cover my code
    • I can demand only the most up-to-date equipment and refuse to work without it
    • I only have to see one manager every two hours, and that for five minutes. The rest of the time I only have to have my nurse/assistant deal with them.
    • My nurses/assistants do 90% of the work, but get paid 5% of the money
    • You can come to me with requirements, but I'll tell you what we're going to do about them. If you don't like it, go get a second opinion from my other coding friend.
    • I only write about 15 lines of code every day
    • I come to work at 10:00, take a two hour lunch, and leave at 3:30
    • Computer companies give me free stuff to recommend their products
    • One word: Golf

    So, heck yeah, cripple the IT economy, and make me stinking rich!
  • There are so many (Score:3, Insightful)

    by niiler (716140) on Wednesday October 12, 2005 @11:21AM (#13774148) Journal
    Points of failure in any software, that it is impossible to know who to blame.

    For example. Today, I set up HPLIP for the first time instead of HPOJ for my PSC2110. What a pain. I had no problems configuring or making, but then there was an issue when I tried installing. Clearly the HPLIP programmers' fault, right? Or was it that I was using a Slackware derivative with a mixture of packages and as a result, many libraries and config files were in non-standard places? I would have guessed that if ./configure && make worked, everything was found properly. But it wasn't. If my nonstandard config was the problem, then perhaps I'm responsible. Eventually I got everything working but with one caviat. I could only scan as root.

    In the real world, if this happens to a litigious happy individual who likes to bill $400/hour, he'll sue:

    • The distro - for not giving directions, or having the package properly precompiled for exactly his system
    • Slackware - for not providing a compatible package (the reasoning being that if the distro is Slackware-based, then Slackware must assume some liability)
    • The hpij developers, since this could have been an issue
    • The cups developers, since this could have been the issue
    • The kernel developers, since this could have been the issue
    • HP, since their driver didn't work instantly in the desired way
    • etc...
    • I'm sure I've left someone out. Anyhow, considering the sense of entitlement most people who can hire lawyers have, this is not a path that we want to walk down. Each possible point of failure would become the target for a lawsuit when the real failure might be summed up as a case of not RTFM.
  • by RobinH (124750) on Wednesday October 12, 2005 @11:21AM (#13774157) Homepage
    While this may actually be feasible for shrink wrapped software that sells a million copies and has a team of expensive testers going over it button by button, this would completely destroy custom programming.

    I write software that is usually only run on one or two computers at one location, and it's constantly modified to add features, fix bugs, etc. Our company and our customers can't afford to pay triple the cost for the stringent software testing that a huge Micro$oft type place would have, so a law making the programmers personally liable would make all custom software prohibitively expensive.

    We do sell our code with a 1 year warrantee, so we agree to fix all bugs that come up within the first year. However, the agreement is not a guarantee. If there is a bug, we agree to fix it, but we're not going to compensate the customer for lost production or expenses.

    There is software in this world (I'm thinking the QNX kernel here) that actually comes with a guarantee that it works as documented. The company (QSSL) has liability insurance just in case. Of course, that makes QNX licenses more expensive than they would otherwise be.

    Most software comes with a disclaimer. Microsoft tells you that the user accepts the liability for any bugs. Even though nobody reads that disclaimer, it still exists. Right now you have a choice - you could hire someone to write code and give you a guarantee (expensive), or you could just buy something off the shelf (cheap) that would probably work ok most of the time. The article is talking about removing that choice.
  • Not a good idea. (Score:3, Insightful)

    by unoengborg (209251) on Wednesday October 12, 2005 @11:23AM (#13774188) Homepage
    People/companies are not writing bad code because they are sloppy or doesn't want their code to be secure or correct. They write bad code because there really is no way ensuring the security today. If there were, price insensitive things like battle ships would not be dead in the water because of software error. I suppose you could make code reasonably secure for certain certified environments e.g. Running a certain build of MS-Office on a certain build of Windows XP in a certain hardware in a specified configuration.

    What if the user doesn't run it under the conditions specified e.g. connect it to the internet and internet was not covered by the specification should the developer be liable then? Of course you could hold the developer liable no matter what. But that would put software development in a different position than all other products. E.g should a building contractor of a high building be held responsible for the damage to a parked car outside the building caused by somebody jumping from the roof in the act of committing suicide? I think not, even though the errors in building construction making this possible and the means to fix them is much more evident than most software problems.

    The only thing that will happen if this was introduced is that software prices would go up radically as software companies or individual developers need to make sure the make a profit even if they have to pay damages now and then. I.e. the price of the software will have to pay more lawyer and insurance fees. If this is introduced in a country the cost of running a business will increase significantly, and I am not just talking about software business. How many businesses would afford to have the cost of their IT infrastructure increased by several orders of magnitude. A country that introduced such laws would kill all business that need some kind of IT support, at least if it did not also have very high customs fees or taxes for imported products and services.

    As for the software industry of such a country you would probably see fewer and bigger companies with the money to bury customers claiming their rights in legal process for a very long time perhaps until they go out of business before they get their money. The fact that there was fewer actors in the market would in itself raise the price of software due to less competition. It would also slow down the speed of development. If you for instance create a new version of an office productivity suit, you would probably want to test it for several years on a group of subjects that have waived all their legal rights before you release it to the general public. Then you would like to profit from that investment for a very long time. Perhaps 20 years or so.

Economists state their GNP growth projections to the nearest tenth of a percentage point to prove they have a sense of humor. -- Edgar R. Fiedler

Working...