Insecure Code - Vendors or Developers To Blame? 284
Annto Dev writes "Computer security expert, Bruce Schneier feels that vendors are to blame for 'lousy software'. From the article: 'They try to balance the costs of more-secure software--extra developers, fewer features, longer time to market--against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales. The end result is that insecure software is common...' he said. Last week Howard Schmidt, the former White House cybersecurity adviser, argued at a seminar in London that programmers should be held responsible for flaws in code they write."
How about both? (Score:3, Interesting)
BTW, this topic seems vaugely familiar. Is this a dupe?
Re:E&O by company or by employee (Score:2, Interesting)
Actually, this is true
BTW, how is this going to work if the programmer is a citizen of India? Are US prosecutors going to extradite him or her for inadvertant buffer overflows?
Worse isn't better, it's just 90% don't want it (Score:3, Interesting)
This all seems to be a rehash of the "worse is better" meme ... that those damn software programers/companies aren't doing what we want. The only problem is, it's all crack [artima.com]. Almost no customers, even now, are willing to pay more for "quality".
Yes, I think all other things being equal, people will go towards quality/security ... but it just isn't high on anyones list. Cheap, features, usable ... and maybe quality comes in fourth, maybe.
And, yes, there are exceptions ... NASA JPL obviously spend huge amounts of money to get quality at the expense of everything else, and I say this having written my own webserver because apache-httpd had too many bugs [and.org] (which comes with a security guarantee against remote attacks) ... but I'm not expecting people to migrate in droves from apache-httpd, it's got more features. The 90%+ market share have spoken, consistently, and they just don't care about the same things Bruce and I do.
I have a lot of respect for Bruce, but the companies really are just producing what most people want ... so stop blaming them.
Re:E&O by company or by employee (Score:2, Interesting)
Re:Why not?! (Score:2, Interesting)
I would love to have luxury of being able to build properly secure solutions and perform extensive system testing, but it's just not possible. The same is true for proper documentation and being pro-active during maintenance contracts.
The worst part of it all is that the clients have gotten used to both the lower prices and the lower quality. We won't get work if we jack up the prices in order to provide the quality of work we really should be providing.
Re:Errors and Omissions Insurance (GPL V3) (Score:3, Interesting)
Closed source applications wouldn't be able to use this loophole.