Holding Developers Liable For Bugs

sebFlyte writes "According to a ZDNet report, Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write. He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system. He was speaking in his capacity as CEO of a security consulting firm at Secure London 2005."

Hey, God

[Anonymous Coward]

About this little thing called "the mosquito" which we received as part of Earth v1.0....

Says it all

[ackthpt]

ex-White House cybersecurity advisor

I didn't catch the ex- part the first look and thought "whaaaat?" as I know the current White House occupation force is very Microsoft Friendly and would never endorse such sentiments.

Education system?

[JemalCole]

He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system.

You know, I don't think it's entirely his fault that he's an idiot: I blame the education system.

No one is responsible

[Anonymous Coward]

No one is responsible for security flaws in software products. It says so in the EULA.

Re:Send jobs overseas, CMM

[Velox_SwiftFox]

You're leaving out the lower levels. I take it CMM-1 is the level where if the software suddenly causes monkeys to fly out of the butt of the user, that it is perfectly within the specification?

Re:Right.

[Anonymous Coward]

ah - but if you lose the court case, then it's actually the lawyers fault so he gets to pay the damages....
sounds good to me!

Re:Who is the bad guy?

[ScentCone]

Whatever happened to holding the people who exploit vulnerabilities responsible?

That's crazy talk! What are you thinking, man? Next you'll suggest that when I walk down the street with my entire head completely exposed and vulnerable, that somehow the mugger than hits me over the head with a baseball bat may somehow be responsible for the outcome! See how crazy you are?

Or, when I lock my door and leave my house for the day, and a guy comes along with a sledgehammer and just breaks in anyway - I suppose you think that the person with the sledgehammer is somehow responsible for that? Totally twisted, man.

Re: Hold Government Leaders personally responsible

[Black Parrot]

> That proposal sounds fine, but then we should hold government leaders personally responsible for wrongdoings of government.

My solution is, at the end of a politician's term hold an election where the only two options are:

• grant him another term
• send him to prison

Maybe that would help guide their behavior.

OTOH, shouldn't the voters who put a bad man in office go to prison for it?

Re:Right.

[xtracto]

Obligatory simpons quote:

Lionel Hutz
"Can you imagine a world without lawyers? (Then he imagines everybody holding hands, dancing together, and shudders)"

Re:Right.

[hackstraw]

Sure, let's sue the pants off anyone who does anything wrong. Let's make it impossible for anyone to create anything new or different. Cradle-to-grave protection, ensured by armies of well-intentioned and socially-responsible attorneys -- that's the sure way to economic success!

Better watch out, I have a patent pending on such a thing right now. Anybody with such a plan will have to license it from me!

I'm all for this...

[jnaujok]

As the only comparable occupation where one is held liable for every action, this would put me in the same category as a medical doctor. That means:

• My salaray immediately jumps to the $500 to $1000 per hour range
• The number of people willing to code drops close to zero
• I carry "Security-Flaw Insurance" to cover my code
• I can demand only the most up-to-date equipment and refuse to work without it
• I only have to see one manager every two hours, and that for five minutes. The rest of the time I only have to have my nurse/assistant deal with them.
• My nurses/assistants do 90% of the work, but get paid 5% of the money
• You can come to me with requirements, but I'll tell you what we're going to do about them. If you don't like it, go get a second opinion from my other coding friend.
• I only write about 15 lines of code every day
• I come to work at 10:00, take a two hour lunch, and leave at 3:30
• Computer companies give me free stuff to recommend their products
• One word: Golf

So, heck yeah, cripple the IT economy, and make me stinking rich!

Re:Who is the bad guy?

[rishistar]

Nah, that requires too much effort. It is much easier to find someone whos name is tied to the code.

That'll teach those coders to put their names at the top of files.

Code of Hammurabi

[HTH NE1]

In the Code of Hammurabi, 18th Century B.C.:

If a contractor builds a house for a man and does not build it strong enough, and the house which he builds collapses and causes the death of the house owner, than the contractor shall be put to death.

If it causes the death of the son of the owner, then the son of the contractor shall be put to death.

This is of particular interest to me as I contribute code to software used to design steel buildings. I would not want to see this code reapplied today to dwellings or programming.

Re:Code of Hammurabi

[Anonymous Coward]

"If a contractor builds a house for a man and does not build it strong enough, and the house which he builds collapses and causes the death of the house owner, than the contractor shall be put to death.
If it causes the death of the son of the owner, then the son of the contractor shall be put to death."

If it causes the death of the owner's boss, then the contractor's boss shall be put to death.

Re:Code of Hammurabi

[Duhavid]

And there was much rejoicing!

Re:CMMI

[sik0fewl]

If only computer programmers were the ones that drafted laws..

Re:Iterative Development

[jafac]

Scary, but you just described my company's business process. I think it's even documented that way. ;p