Holding Developers Liable For Bugs 838
sebFlyte writes "According to a ZDNet report, Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write. He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system. He was speaking in his capacity as CEO of a security consulting firm at Secure London 2005."
Sarbanes-Oxley (Score:3, Informative)
I suspect many people who write software, like myself, are already personally responsible. And so we should.
Re:CMMI (Score:3, Informative)
So to speak.
Collaboration is not a hard requirement. IMO. (Score:3, Informative)
There are dozens (if not hundreds) of examples out there of high-quality code being produced by a single standalone programmer, some of them fairly complex applications/utilities, and that is true not only in the DOS/Windows shareware and open source software environments but also in the corporate mainframe environments where I've worked.
Yes, such folks will generally have other folks to testing over time, but often the concept, design, coding, and initial testing stages are all handled by a single person who has the technical skill, vision, and determination to create the initial solution and whip it into workable shape. Once that basic foundation is in place, feedback from others is solicited.
A person who doesn't care about quality or who isn't technically adept enough to avoid problems is probably going to produce a bad piece of software in the end regardless of the processes in place unless everyone else in the development chain holds his/her hand.
A person who is obsessed with clean code and who has a clear vision, on the other hand, can often perform amazing feats with little more than a single PC or terminal, a pizza delivery service, and a few hundred gallons of coffee (or Mountain Dew) at his or her disposal.
Re:Sarbanes-Oxley (Score:2, Informative)
If you intentionally sneak something in that causes the data to be misrepresented, you're liable.
If you put something in that is defective and didn't follow procedures, you're liable.
But even the shuttle software, for example, still has the occasional bug even though it is developed under some of the most stringent policies in the world and isn't an overly large application.
OT: Clinton did not lie under oath (Score:5, Informative)
Re:Hey, God (Score:2, Informative)
responsible politician ... flying pig (Score:2, Informative)
Ha! Yeah, that'll happen.
Political responsibility is limited by the memory span of the constituents. If we've forgotten by the time of the next election, then they're not held responsible. There are several problems contributing to this:
There are other reasons why politicians' actions are poor.
Clueless! (Score:2, Informative)
Likewise, security consulting companies generally only issue "verifiable statements" regarding the software they evaluate. Such statements can include things like "passwords are not stored in plaintext", or "all network traffic is encrypted with SSL". No company with a clue would risk its business on a blanket guarantee that a piece of software is "secure". That's because there is no way to verify a given application is "secure" in the absolute sense anyway.
Yet Mr Schmidt expects developers to certify as such. He clearly has no clue. While he's at it he should demand that automotive engineers certify their cars will never break down, and that police be held personally liable for failing to prevent a crime.