Holding Developers Liable For Bugs 838
sebFlyte writes "According to a ZDNet report, Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write. He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system. He was speaking in his capacity as CEO of a security consulting firm at Secure London 2005."
If anyone it should be the managers (Score:5, Interesting)
The consultants will love that. (Score:3, Interesting)
So we'll have yet more wrangling over specifications, more walls between users and developers, and more CYA behavior. That'll be fun.
-Jeff
Law Suits (Score:2, Interesting)
It's the system, not the individual (Score:5, Interesting)
As a simple example, take a web application. The web people believe (reasonably or not) that the form fields will be cleaned up by the backend people. How do they know what's dangerous anyway? The backend people believe (reasonably or not) that the data will be cleaned up by the web people. How do they know the various encoding schemes used, etc.
Then some **** adds a cross-scripting exploit and compromises sensitive information.
Who's responsible, the developers or the managers? Even if the developers are paranoid, what about the errors introduced as everyone tries to handle conditions outside of their sphere of knowledge? What about the new security flaws introduced by that?
OSS Projects? (Score:3, Interesting)
Re:If anyone it should be the managers (Score:3, Interesting)
going over the code with few extra eyballs costs - it costs in wages and it costs in _time_.
also sometimes it's about compromises.. sometimes the things are designed badly in some aspects so that the product is convinient in others.
Re:Hold Government Leaders personally responsible (Score:5, Interesting)
Personally, I think if you're in government, and you break the law, you should get double to triple the punishment you normally would. Why? Because you're held to a higher fucking standard, that's why. Don't like it? Don't run for office.
Not that any of this was really on topic...
Some Accountability is Good (Score:3, Interesting)
Re:Sheesh! (Score:5, Interesting)
We'd carry "malpractice insurance" the same as a doctor or an engineer who builds a bridge.
But we'd also develop some backbone. We'd mandate full use-cases, real automated testing, input validation, edge cases - and it would ship when it was ready. Any CEO ramrodding out shoddy software would be in the same position as a CEO at a pharmaceutical company doing the same, subject to having the whistle blown on them.
Overall, it would serve to elevate the position of software developers to a more professional status, and the salaries would go along with it. There would also probably be stratifications along the lines of architect/engineer/draftsman that we see where this has been done already.
More significantly it would put up substantial barriers to outsourcing.
But don't expect Corporate America to allow this to happen without considerable campaign contributions against it. The last thing [name your big abuser of programmers] wants is 'professional' developers (or American developers for a subset of those companies).
In the end, it's the people who create quality. (Score:5, Interesting)
I worked as a development/support programmer in a fairly critical application area for a major airline for over ten years, and we had a small tight team of a dozen fairly experienced developers and only a few formal processes in place. The software that was written and loaded in production was generally of very high quality, mainly due to a good culture of informal peer review, testing (involving users and programmers alike), heavy use of a test system to let changes simmer a bit before release, etc., but there really wasn't a formal "metholodogy" in place, just common sense practices that everyone there had agreed to follow.
For larger groups or in development environmments where software is released in bursts (e.g., a new version is released to external customers every few months) it might make more sense to put more formal processes in place, but when working on a living system that has to change from time to time in a few days (or even hours) I'd rather put my faith in a couple of experienced programmers who know the system and the expectations of the end users.
Re:If anyone it should be the managers (Score:3, Interesting)
Re:Hold Government Leaders personally responsible (Score:3, Interesting)
Just to put something valuable to your offtopic rant (FTFArticle):
Schmidt also referred to a recent survey from Microsoft which found that 64 percent of software developers were not confident they could write secure applications. For him, better training is the way forward.
I think one of the key issues of non secure software are the tools that are available to develop them. By that I mean
languages & compilers
1. You see, people that make programs in C/C++ know that if they are not used well there is a HUGE chance to produce buggy code. Now, it is also known (as another slashdoter stated before) the incentive to put a lot of effort in making bugfree software (i.e. the time spent for QA in C/C++ apps.) is not really good, after looking the average developer per hour payment.
Because of this, companiles like Microsoft,SUN,Metroworkers etc, should make better compilers, maybe compilers that whine about all kind of errors (i.e. pedantic flag?).
The other way is (what has been done and I think has been quite useful) to create new languages which less prone to errors (i.e. Java, C#, VB
2. Another thing closely related to the first point is TOOLS, these tools should be a VERY robust set of tools that allow programers to develop applications. Something like the Java API, for example if I want to make a simple chat program, this toolset would allow me to do it very easly.
And, as a personal opinion, all those toolset should have a "secure by default" approach. I am sure a lot of people will tell me "there are enough tools, but people do not use them", as for example, a RSA communication module in Java, or what not. The matter is that it should be the OHTER way arround, the common (just an example... I do not know by heart the java api... hell, ANY API) net.java.network.tcp.HTTPObject should have an OpenConnection funtion which is SECURE by default, not an OpenSecureConnection() or even worse to have this connection on a net.java.network.securetcp.SecureHTTPObject because, that way, the general prorammer wont use it.
Of course training is important but one of the reasons of why there has been an *explotion* of software nowadays [yes, a lot of it crap, closed and open source alike] is that more tools have become available. But these tools should be perfect.
As for the "developer liability" I think that is reasonable when you buy your software but when talking about open source or any other kind of free software I think it is the most stupid thing. It is like when the kid blew up his fingers trying to make a bomb using the Anarchyst Cookbook, so what, is the author liable?? and worse, if you are just giving away something what the heck could someone claim?
This would be great for the insurance industry... (Score:3, Interesting)
Re:Right.... (Score:2, Interesting)
Regards,
Steve
Re:CMMI (Score:3, Interesting)
Accountability (Score:3, Interesting)
Any company reselling software in the US developed overseas would carry the liability and there by apply the same rules to overseas programmers (e.g. an offshored CPA must still pass a CPA exam or selling that person's services as a CPA is fraud).
In addition, development of and adhesion to best practices would have to then be done by companies or they would never get SE's to work for them. The liability issues would be too great, and this would force companies to actually develop best practices and processes.
It would make sense to do this.
Re:CMMI (Score:2, Interesting)
How the hell did this get modded insightful? Your post was reasonably sane, if uninteresting until this point. Ok, developers pay money, insurance companies get money. So, how does this screw end users? Software developers would be forced to write more secure codes to avoid crippling insurance rates. How do politicians and executives get rich, any more than they do already? So are you upset that insurance executives would get rich instead of software executives? Also, if insurance companies could get a cap on liability (they haven't had too much luck doing it with other types of insurance yet), then the price of insurance would go down due to competition between insurance companies.
Besides which, if you don't want there to be liability, which seems to be what you're getting at, how is it worse if the liability is capped?
guns, cars, airplanes, shuttles... so on (Score:2, Interesting)
when your airplane crashes in the middle of the ocean due to engine failure... who is held resposible? the company that build it or the airline.
the answer is never the designer, engineer or whatever.
Re:CMMI (Score:5, Interesting)
If we are not directly given rewards, then I'm going to study for an MBA after my CS degree to limit my personal responsibility (paradoxically increasing overall responsibility), and most likely make more money anyway. People (shareholders) in corporations get to legally hide behind "the corporate entity" to shield them from personal finanical litigation, their employees should have the same benefit.
But I think your doctor example is correct, and would describe much more than you pointed out (for example, we would be forced to become as through as possible, like doctors, which would force us to ensure that employers permit it, which may cause unions or something similar, and I doubt business people want unions, especially in IT. I know there are arguments against that, but think, if fewer people enter the field and those that do are more responsible, then the result is higher paid, and more powerful people that need control of their work)
Re:CMMI (Score:5, Interesting)
Actually it monetary gain (Score:3, Interesting)
Doctors are leaving my State because of this practice. Malpractice Insurance is way up. Not because there is more malpractice but because the laws of the State and the courts and the lawyers are having a field day, and orgy of wealth sharing. (Well sharing among lawyers).
Its more a lawyer wealth acquisition opportunity than a user or industry complaint resolution or redress technique.
How many times have you heard a plaintiff say "I'm not suing for the money, just to get satifaction or prevent this from happening to someone else". You don't hear their lawyer saying that (pro-bono aside) so often the lawyer gets much much more of a settlement than the plaintiff. Wheres that at. Usually it is structured that the lawyer gets 50 or 70% of a settlement, but wait I'm not done, lawyers expenses (including time spent) are taken off the top before the split or taken out of your split. And I though project managment was a racket.
Re:Sheesh! (Score:2, Interesting)
Seriously though, management would be responsible long before the engineers, because they make the choices that either ensure or prevent quality.
Re:Hey, God (Score:2, Interesting)
In fact, every species should have been sick as a dog, who would also be loaded with heart worms.
Well, either that, or the Noah thing is a bunch of crap.
Why stop there (Score:5, Interesting)
The fact is that the supply of competent people in the world is vanishingly small, whether they be programmers, managers, or people whose job it is to procure things. I'm not talking paper qualifications, I'm talking about functional competence: the ability to handle a complex and uncertain situation, and make the right decisions. It's generally found among people like farmers and blacksmiths who know their business because it is part of body of knowledge that has been handed down from time immemorial. Marketers, managers, software engineers and other people engaged in modern professions -- well lets say good ones are rare indeed.
Furthermore true integrity, the type that makes you do the right thing when it's easy to pretend things are better than they are and leave some other poor bastard holding that bag -- that's even rarer.
Software, like most other modern products that are intangible or have a significant intangible value components, is a product of the Shambling Juggernaut of Incomptenence and Denial. The SJID, it must be admitted, works far better than it has any business to. People caught up in it interact like atoms of gas, the composite average of which produces a tolerably reliable mediocrity. Occasionally it will miraculously spit out something wonderful, and not unusually it will produce something horrible, but the machine roles on. And what keeps it running is Denial. Incompetence is the common denominator to be sure, but denial is the fuel that drives the machine and the glue that binds it together. Success has a thousand fathers but failure is an orphan. Those who have reason to be glad of this find their most natural home in the SJID.
Unfortunately for you, dear Slashdot reader, there may be no place for you here, because unlike the marketers, management consultants, CEO, board, procrement agent, and virtually every other party in the software development arena, you left a paper trail of every mistake you made, no matter how small or how minimally contributory to the overall failrue it may be. Blame is supposed to ooze throughout the system so that pain and damage is not felt in any one place, but instead diffuses into a general atomosphere of dissatisfaction and helplessness. But you, dear reader, carry the antibody of Accountability, which can reliably attach to Blame in concentrations as low as 1 PPM.
And now, they've noticed. Beware.
So Long, Gang... (Score:4, Interesting)
Damn. I guess this means the end of Microsoft, and Linux, and FreeBSD, and UNIX (I would say SCO-UNIX, but let's face it, they're gone already), etc. - God knows they've got plenty of names lurking in their code and all have had some sort of vulnerability at some point in time. I guess all that'll be left is OpenBSD, although that one exploit may come back to haunt 'em.
On another note, I'm curious to see how Mr. Schmidt would lke the liabilities to be addressed. Are we talking say a $5.00 fine for typos, $100.00 for DLL/Library breakage, $1000.00 for a viral vulnerability, and, oh, maybe $1,000,000.00 for a exploit that grants root privileges? Would these penalties be scaled by installed user base so that smaller companies like Bob's Fuzzy Linux won't go bankrupt after the first lawsuit? Or will larger companies be able to buy "vulnerability credits"?
Re:Hey, God (Score:4, Interesting)
It should suprise no one that a religion started on the largest flood plain in the world has a giant-flood-wipes-out-everything story as part of its mythos. There may well have been some guy whose family and livestock rode out a particularly nasty flood on a raft and this got enhanced and embellished to the current version. But you don't need to be a sarcastic jerk about it.
Re:CMMI (Score:4, Interesting)
Could be good for the billables (Score:2, Interesting)
At least in theory, companies will simply refuse to hire domestic programmers because their rates would be too high. However it's likely that companies could become pretty risk-averse and unwilling to hire foreign programmers, since they will have no recourse when the corporate data is compromised. The discrimination against foreign programmers will become similar to what is faced by foreign doctors currently.
Likewise, because of the increased expense, companies will buy far less software in general, and they will plan our their real needs a lot more carefully.
I can't say if this will be good or bad for programmers in the long run. Attorneys and doctors seem to be prospering and they live under the same burden. It could well be that placing professional liability on programmers and weeding out the pretenders would be good for those that remained. The only question would be which of us would remain?
Cybersecurity success shows knowledge (Score:2, Interesting)
Now, our Cybersecuity making an outrageous claim that developers held responsible for unforseen security breaches. I would only be up for this if every time someone does a buffer under/overrun as a security breech that the OS developer be held responsible - Microsoft
There's many layers below the developer that can have security holes:
* the virtual machine (for
* The OS
* the hardware's firmware
* an error in the processor
* the API the developer uses
* poor requirements
* encryption algorithm flaws
* idiot bosses who proclaim that a product MUST ship on time
This guy is nothing but a tool of the government. All of cyber security has always been this way. My only regret is not joining them to get a piece of the terrorist/cybersecurity pie they're handing out due to FUD.
Re:Accountability (Score:3, Interesting)
Think about what you're asking here. If I'm a plumber and I fix your toilet and it leaks, then I (or my insurance) would have to pay for the damage to your home and the cleaning up etc. As a programmer, my program might be installed on hundreds or even thousands of computers. How am I going to be able to compensate everyone who uses my software? Specifically, how is someone who offers free software going to be able to continue to do that?
Re:organizational problems are bigger part (Score:4, Interesting)
A P.E. is roughly equivalent to a C.P.A (Certified Public Accountant) and has undergone some form of state certification process. The process typically includes testing then working under a P.E for some number of years and usually another test.
Once you are a P.E. you are able to "sigh-off" on specific designs. You are putting your professional name on it and can be held personally liable. P.E.s DO NOT do this for free and typically get "malpractice insurance". In this case the engineer made a mistake (or was incompetent) and is no longer a "Professional Engineer" (and may have suffered other claims).
Re:Code of Hammurabi (Score:2, Interesting)
A bit unreasonable considering... (Score:3, Interesting)
Anyway, I am an Engineer, with certified competencies in Australia. I specialise in mechatronic engineering and work mostly in manufacturing systems development. As a highly qualified professional, I can be and indeed am held personally liable for my failures, as can a Medical Doctor. The similarities?? LONG and COMPLEX degrees, sufficient training and sufficiently rigorous oversight that graduates, after an intern period, may be considered legally liable and have the skills and competence to operate in such an environment. Not only that, but I must demonstrate a significant number of hours a year in professional development to maintain my certification. Without it I couldnt get professional indemnity insurance, nor indeed jobs for which I am likely to be held personally liable.
Here in Australia at least, there are NO true Engineering degrees for computer programmers, Electrical or Electronic engineers often specialise in computer systems, but they are still trained as Engineers first and foremost. Degree qualified computer programmers are at best science graduates and at worst arts graduates. It is unreasonable to place the burden of personal liability on people who did not choose such a career path. When I was at university the difference was 35+ contact hours vs 16- contact hours and a 4~5 year degree vs a 3 year degree. Those doing the latter certainly arent likely to be adequately prepared to shoulder that kind of professional burden.
Take a graduate mechatronic Engineer, a mechanical Engineer, a civil Engineer and an aerospace Engineer. Give them each problems from the other's field and appropriate references. They will struggle with unfamiliarity but they WILL be able to competently solve the problem, why?? they are all trained in the same basic principles. Hand a computer "engineer" a fluid dynamics problem and they will almost certainly NOT be able to solve it. They learn to write programs (so do we, actually, in fact, I consider the ability to program essential in graduate Engineers I hire, same as a second language; just important complementary skills, not core skills).
In summary, you cannot start to hold an employee personally liable until the training and development systems that produce them are sufficiently rigorous to ensure that people who graduate into that field are at least theoretically able to take on the responsibility. Furthermore, some strong professional bodies would be required. The kind that require members to continue their professional development to retain certification and, therefore, continue to be considered competent to be held personally liable.
Anyway, not trying to belittle computer "engineers", but I think their training has to step up several levels in rigor and broaden its scope to truly be considered an Engineering discipline before you start laying the burden of personal liability on their shoulders. Essentially, if you couldnt get professional indemnity insurance, you probably shouldnt be able to be held personally liable. Whilst there are very certainly programmers and hackers out there more than competent to be held liable for their work, without a professional structure; there is no sure or reliable means to make that descision or filter people who really aren't able.
Just my $0.02 AUD, apologies to any I offended
err!
jak.