Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Holding Developers Liable For Bugs

CmdrTaco posted more than 8 years ago | from the you-gotta-be-kidding-me dept.

Security 838

sebFlyte writes "According to a ZDNet report, Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write. He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system. He was speaking in his capacity as CEO of a security consulting firm at Secure London 2005."

cancel ×


Sorry! There are no comments related to the filter you selected.

Send jobs overseas, CMM (5, Insightful)

Agelmar (205181) | more than 8 years ago | (#13772940)

I will admit that I have seen a lot of bad programmers and bad code over the past few years, but let's step back and think about this. Programming jobs are rapidly being sent overseas to India and China. This is not going to create much of an incentive to keep such jobs in the States, nor does it create much of an incentive for people to go into the field. Holding companies accountable, as suggested in the article, might be a slightly better solution, but again it's somewhat complicated when you start trying to hold an overseas company accountable. (It's more doable than holding an overseas individual accountable, but still not a simple task).

As for the article's last point about CMM environments: It's not at all an indication that software has been developed by quality developers, all it means is that the code was developed using a reasonable development framework. CMM level 3 means that you document your processes, and typically have peer review. Bad peers means peer review is worthless - it does not guarantee good programs. CMM Level 4 involves"quantitative quality goals" by which productivity, quality and performance are to be measured. This is a bit better, but again it's a matter of where the bar is set. CMM Level 5 is about continual improvement, and is extremely strict. I think that CMM Level 5 is the only environment where one can actually be assured of reasonable quality code. I've seen way too much bad code come out of CMM-3 and -4 environments to give them much credit. If you've got great people, then a CMM-3 environment typically produces great results. For -3 and -4, what you put in is what you get out - not guaranteed greatness.

Re:Send jobs overseas, CMM (4, Insightful)

Anonymous Coward | more than 8 years ago | (#13772990)

CMM level 5 is no guarantee of quality! I worked in India and interviewed many a developer from CMM level 5 companies who were utterly useless. And this idiot who wants to make developers responsible for poor code - does he also advocate Ford or GM workers should be liable for cars that are easily broken into?

organizational problems are bigger part (4, Insightful)

Thud457 (234763) | more than 8 years ago | (#13773128)

1. What about slipshod companies that don't have proper processes in place to test & verify code before they ship it?

2. What about laissez-fair management that ignores any such processes that are in place so to ship code on some arbitrary market-driven deadline?

CMMI (5, Insightful)

pdmoderator (63509) | more than 8 years ago | (#13773004)

CMMI doesn't guarantee good practice any more than membership in the Better Business Bureau guarantees good business. But I'd rather work in a shop that has CMMI in place than one that doesn't. It's insurance against the sort of death marches that create slapdash practice, shoddy product, and security holes in the first place.

Re:CMMI (5, Insightful)

ShieldW0lf (601553) | more than 8 years ago | (#13773172)

CMMI doesn't guarantee good practice any more than membership in the Better Business Bureau guarantees good business. But I'd rather work in a shop that has CMMI in place than one that doesn't. It's insurance against the sort of death marches that create slapdash practice, shoddy product, and security holes in the first place.

That's where this sort of thing leads: insurance.

If something like this were to happen, there would be an immediate chilling effect on software development, followed by liability insurance policies similar to what doctors have. Software developers would start having this insurance, and then when the end users start making claims, the mighty insurance companies will simultaneously raise their rates and use their financial and political powers to buy laws that cap their liability.

Developers pay money, insurance companies get money, end users get screwed, politicians and executives get rich. This is called "building economic value".

Re:Send jobs overseas, CMM (3, Insightful)

rovingeyes (575063) | more than 8 years ago | (#13773092)

Holding companies accountable, as suggested in the article, might be a slightly better solution, but again it's somewhat complicated when you start trying to hold an overseas company accountable

You don't hold overseas companies accountable, its not our job. We hold local companies accountable. They received the money from us. We don't care how they spend it or don't spend it. Normally these companies don't tell you upfront that they are the middle man. If they do that then their accountability is diminished. But in reality most of these companies say they are producing the code, have their licenses and brand name on them. So you just hold them accountable. If a software screws up they pay not the overseas company.

Re:Send jobs overseas, CMM (4, Funny)

Velox_SwiftFox (57902) | more than 8 years ago | (#13773105)

You're leaving out the lower levels. I take it CMM-1 is the level where if the software suddenly causes monkeys to fly out of the butt of the user, that it is perfectly within the specification?

Hey, God (5, Funny)

Anonymous Coward | more than 8 years ago | (#13772942)

About this little thing called "the mosquito" which we received as part of Earth v1.0....

Re:Hey, God (0)

Anonymous Coward | more than 8 years ago | (#13773149)

Blame Noah, he collected and compiled the code for Earth v2.0.


W3BMAST3R101 (904060) | more than 8 years ago | (#13772943)

One of the few companies that I don't see as completley corrupt.

Right.... (0, Offtopic)

787style (816008) | more than 8 years ago | (#13772945)

...and gun manufacturers should be responsible for murder.

Re:Right.... (4, Insightful)

Overzeetop (214511) | more than 8 years ago | (#13772975)

No, gun manufacturers should be liable for producing faulty safetys which do not function properly, or firing pins which may actuate without a trigger press.

Re:Right.... (1)

Otter (3800) | more than 8 years ago | (#13772991)

...and cigarette makers responsible for cancer and McDonalds responsible for obesity... Fortunately we don't live in a society like that, huh?

Re:Right.... (4, Insightful)

TheRealMindChild (743925) | more than 8 years ago | (#13772993)

Only if the gun blew up and killed the shooter.

Your comarison doesn't match because developers would be held liable for a skill that they present as "Professional". Similar would be making the brick layer accountable for a building coming down.

Re:Right.... (0)

Anonymous Coward | more than 8 years ago | (#13773014)

They would be if they made buggy handguns that shot the user when he wasn't even trying to fire bullets.

wrong analogy (0)

Anonymous Coward | more than 8 years ago | (#13773016)

Gun makers should be punished if they make a gun which isn't safe for the *user* of that gun. As a matter of fact, I think they already are liable in that circumstance.

your analogy is like suing jon jonson if i use decss.

Re:Right.... (1)

inglishs (825536) | more than 8 years ago | (#13773166)

The Blame Game -it all depends on whose turn it is to blame this time I would say, that you are independent to chose the best software for your company, then you also have to take the ramifications that follow, bugs and the like. Also, if the programmers should be responsible, companies will end up testing into oblivion, the product would not be ready for sale until it is old and outdated.. Though there could be something in his statement as well, thinking of automobile manufacturers. Sure they have some blame when one of their parts fail again and again, causing a great deal of accidents. We expect them to replace the parts, like a guarantee..

I can see... (0)

Anonymous Coward | more than 8 years ago | (#13772949)

>>Howard Schmidt, ex-White House cybersecurity advisor

I can see now why he's the EX-advisor. Even Dubya thought his ideas were dumb. :)

Re:I can see... (5, Insightful)

rovingeyes (575063) | more than 8 years ago | (#13773034)

No kidding! If a car manufacturer produces a car that has a faulty part, is the engineer held laible? Hell no! its the company. You don't hear John Doe recalling the cars. Its GM that recalls it. Whether John is fired or not is a different issue and up to the company. Similarly the Software company is liable for the product. You blame Microsoft (sorry it was an easy target)!

Who is the bad guy? (5, Insightful)

muellerr1 (868578) | more than 8 years ago | (#13772953)

Whatever happened to holding the people who exploit vulnerabilities responsible?

Re:Who is the bad guy? (5, Insightful)

pturpin (801430) | more than 8 years ago | (#13772988)

Nah, that requires too much effort. It is much easier to find someone whos name is tied to the code.

Re:Who is the bad guy? (3, Insightful)

mfifer (660491) | more than 8 years ago | (#13773009)

The two need not be exclusive.

One slightly contrived example...

A house has a door lock that's poorly made. A burglar jiggles the handle and it falls off and the door opens. You can bet yer bippy that the lock manufacturer is gonna hear from the homeowner's lawyer(s).

Re:Who is the bad guy? (1)

drakaan (688386) | more than 8 years ago | (#13773107)

Right, but the individual person who designed the handle isn't.

Re:Who is the bad guy? (1)

shawn(at)fsu (447153) | more than 8 years ago | (#13773036)

They do, and then some people on /. say we should thank them and actually blame the software vendor, in most cases that usually mean blaming MS. I'm not going to say everyone here but a certain amount gets all upset when they sentence a minor for doing exactly what you suggest.

Re:Who is the bad guy? (0)

Anonymous Coward | more than 8 years ago | (#13773093)

We all complain about badly written software containing security flaws, but we do have to put the blame on the people exploiting these issues. In no other industry would we have this situation. Imagine seeing the following story:

"Toyota have announced a vunerability with the latest corolla whereby an attacker can simply and quickly slash the car's tires. Tests show that, if exploited, it could cause a car to crash. Security experts are attacking Toyota over the total lack of security in their wheel architecture leaving vehicles wide open to attack."

Not a great example, ok, how about it's not slashing tires, it's cutting the break cables, and there's thousands of attackers lining the streets waiting for you to stop long enough for them to dash under your car and cut the cables. Would we hold the manufacturer of the car responsible? Would we hold the driver responsible when they can't stop? If we applied the same reasoning we often do to computers we'd castigate the car manufacturer and tell the driver to get a clue, after all they shouldn't ever need to stop long enough to be attacked and they should have a brake cable warning system installed in their dash.

Re:Who is the bad guy? (1)

Paul Rose (771894) | more than 8 years ago | (#13773156)

How about if cutting the brake cables on one Toyota disabled the brakes on all Toyotas?

With remotely exploitable security flaws this is sometimes the case for software.

Re:Who is the bad guy? (5, Funny)

ScentCone (795499) | more than 8 years ago | (#13773137)

Whatever happened to holding the people who exploit vulnerabilities responsible?

That's crazy talk! What are you thinking, man? Next you'll suggest that when I walk down the street with my entire head completely exposed and vulnerable, that somehow the mugger than hits me over the head with a baseball bat may somehow be responsible for the outcome! See how crazy you are?

Or, when I lock my door and leave my house for the day, and a guy comes along with a sledgehammer and just breaks in anyway - I suppose you think that the person with the sledgehammer is somehow responsible for that? Totally twisted, man.

If anyone it should be the managers (5, Interesting)

metternich (888601) | more than 8 years ago | (#13772958)

You need proper code reviews, etc. if you want to find security flaws. The company writting the code should be responsible for organizing such things.

Re:If anyone it should be the managers (1)

sakri (832266) | more than 8 years ago | (#13772976)

greedy managers who want it "done for tomorrow"

Re:If anyone it should be the managers (0)

Anonymous Coward | more than 8 years ago | (#13773089)

You're lucky if you don't have the type of manager who wants it "done for yesterday"

Re:If anyone it should be the managers (2, Interesting)

gl4ss (559668) | more than 8 years ago | (#13773058)

it's all about money in the end.
going over the code with few extra eyballs costs - it costs in wages and it costs in _time_.

also sometimes it's about compromises.. sometimes the things are designed badly in some aspects so that the product is convinient in others.

No one is responsible (1, Funny)

Anonymous Coward | more than 8 years ago | (#13773061)

No one is responsible for security flaws in software products. It says so in the EULA.

Wouldn't that be like... (0, Redundant)

Treacle Treatment (681828) | more than 8 years ago | (#13772963)

Wouldn't that be like holding a car manufacturer liable for mis-use of a vehicle?

Re:Wouldn't that be like... (2, Insightful)

scovetta (632629) | more than 8 years ago | (#13772986)

Not at all. It'd be like holding car manufacturers liable for defects that cause people to get hurt.

And we do that today.

Why should software be any different, except that writing bug-free software is probably just as hard as designing a "perfect" car.

Re:Wouldn't that be like... (5, Insightful)

Skye16 (685048) | more than 8 years ago | (#13773050)

We hold them liable for defects that cause people to get hurt.

If you're going to attempt to compare apples and oranges, let's at least use an orange colored apple, shall we?

It'd be like holding car manufacturers liable for not making a car absolutely impossible to break into.

Re:Wouldn't that be like... (1)

91degrees (207121) | more than 8 years ago | (#13773108)

Well... perhaps. But then you get to a pointless analogy and bickering until both sides have an analogy that while being perfectly analogous, doesn't actually clear up the whether the company should be held responsible.

But lets stick with this for now. Just how much responsbility should a car company take over security? If the locks didn't lock, should they be held accountable? If there is an easily exploitable flaw then should they be held accountable? What if they bought their locks from another supplier (which most companies will do). Who should be held responsible? Should the designer of the lock also be held responsible?

Re:Wouldn't that be like... (1)

scovetta (632629) | more than 8 years ago | (#13773171)

Ok, good point, but do we have to define hurt as "physically hurt"? If my business goes down because of an e-mail virus that spreads due to a bug in Windows, and I lose, $100,000 per day for 3 days until I get it back up, and that forces me to lay off someone, then isn't there some 'hurt' involved too?

I think the point is that currently the only incentive towards producing quality software is that of market forces (you produce crap, people go elsewhere). The threat of lawsuits may very well improve the quality of commercial code substantially (though OSS code might be a problem).

Re:Wouldn't that be like... (0)

Anonymous Coward | more than 8 years ago | (#13773101)

Not at all. It'd be like holding car manufacturers liable for defects that cause people to get hurt...

Why should software be any different,

Well, medical software is in a whole different category. When a device (a computerized X-ray machine, for example) is approved in the US by the Food & Drug Administration, the manufacturer is liable for defects and software bugs that cause injury. They can't weasel out of liability.

Re:Wouldn't that be like... (0)

Anonymous Coward | more than 8 years ago | (#13773173)

Er, writing perfect software isn't just "hard"'s an entire branch of mathmatics within Computer Science.

Then again, bad coders are everywhere. Let's try an experiment; I'd like to see how many people here can write a version of "Hello World!" in fully compliant ANSI C99 without any bugs or undefined behavour. Easy, right?

Re:Wouldn't that be like... (1)

Agelmar (205181) | more than 8 years ago | (#13772995)

While I don't agree with the article's suggestions, I don't think your analogy holds. It's not like holding Ford liable for someone ramming a Taurus into a storefront, it's like holding Ford accountable if a defective steering column caused a Taurus to run into a storefront.

Re:Wouldn't that be like... (1)

Tim Browse (9263) | more than 8 years ago | (#13773135)

-1, Car analogy :-)

Anyway, I think a better analogy would be holding car manufacturers responsible if it was trivially easy for someone who knows what they're doing to break into your car and steal it.

Oh, wait, it is trivially easy to do that with most cars...hmm.

Re:Wouldn't that be like... (1)

muellerr1 (868578) | more than 8 years ago | (#13772999)

Exactly. Sue the guy who designed the doors because they're too easy to open with a screwdriver and a hammer. This is what updates are for: if the car manufacturer is worried about getting sued over their crappy doors, they recall the cars and fix them. This does not guarantee that every car will get fixed, but it puts the liability back onto the car owner to bring their car in for the 'upgrade' like a bug fix.

Re:Wouldn't that be like... (1)

mbelly (827938) | more than 8 years ago | (#13773027)

Nah, it'd be more like holding a car manufacturer liable for a faulty part. Even if the part only fails in certain extreme circumstances, it is still a fault.

Re:Wouldn't that be like... (1)

the_Bionic_lemming (446569) | more than 8 years ago | (#13773047)

Nope - It's more like the worer who made the part being personally responsible if it failed.

so If a tie rod broke, and caused an accident - Joe Sixpack should serve time.

Re:Wouldn't that be like... (1)

MoonFog (586818) | more than 8 years ago | (#13773035)

The only thing statements like these are good for is amusement from the numerous analogies that will be drawn.

Imo, it's kind of pointless to compared cares, bridge construction etc to programming. Programming is an art in itself, and the CEO's are the people who demand NO BUGS and at the same time require the application to be developed by two guys in one week with a feature set list longer than the bible.

Re:Wouldn't that be like... (1)

stunt_penguin (906223) | more than 8 years ago | (#13773100)

No, it'd be like holding the car manufacturer accountable if someone could walk up to your car, work the windshield wipers back and forth 3 times, try all 4 door handles in just the right order and by doing so gain access to the vehicle. That or Firestone type tyre blowouts.

Re:Wouldn't that be like... (1)

Profcrab (903077) | more than 8 years ago | (#13773133)

I think a more correct analogy would be holding an auto manufacturer liable for not making sure that their car is 100% resistant to theft. People buy cars all the time with certain security features and the cars are still stolen.

Sheesh! (5, Insightful)

MeBadMagic (619592) | more than 8 years ago | (#13772967)

Remind me not to work for this guy.....

Why not make CEO's personally liable for not putting the code through proper QC channels and selling it over-promised.

Made to sell, not to use? Who's fault is that?


Re:Sheesh! (1)

Karma_fucker_sucker (898393) | more than 8 years ago | (#13773052)

Why not make CEO's personally liable for not putting the code through proper QC channels and selling it over-promised.

Or, having a company culture that promotes sloppy development cycles. I doubt the CEO has any clue about the nity gritty of his software team but he sure is responsible for the people under him and any decisions he makes about saving money - ex. Sending the coding overseas to a firm without making sure their credentials are factual and that they in fact have the experience to produce the code according to spec.

Re:Sheesh! (1)

slashnutt (807047) | more than 8 years ago | (#13773143)

I would have to agree, Software developer shouldn't be held liable for the code written by them. You have PHB, stockholder value and among other things of simply getting paid. Code is written to get a check; as long as you are doing good in the environment and getting checks then there is no need to change. The coder is doing what is being requested. Manager don't like code reviews - fine, keep doing whatever you are told and keep getting paid.

Now lets talk about people that call themselves Software Engineers. Now a real engineer has to be certified and in some (US) states you can't use the title until you pass some criteria. A lot of people use the title on their resume any but whatchagonado. Now, If you are hired as an engineer (you put the title Software Engineer on your resume), then I believe that you are to be held at a different standard. A lot of engineers are held liable for damage done within say structures, bridges, building etc. Therefore, I only think the Software Engineers that are hired as such with proof of board certification should be held liable in some negligent cases for poorly done code. But as for some poor smuck that is just getting a check shouldn't be.

Re:Sheesh! (1)

rovingeyes (575063) | more than 8 years ago | (#13773155)

Actually it is the CEO's fault in most cases. Sacrificing QA for being on or before time to market. I have personally been involved in projects where I had to deploy code because there was pressure from higher up. I made it clear that the thing is not ready but the argument they make is - "doesn't matter, we can release pathces and upgrades!" Responsible? My ass!

Hold Government Leaders personally responsible (4, Insightful)

HeaththeGreat (708430) | more than 8 years ago | (#13772969)

That proposal sounds fine, but then we should hold government leaders personally responsible for wrongdoings of government.

I'd love to see the some jail time or a fine for Mike Brown after Katrina, or how about some jail time for Bush after the false pretences of Iraq?

Re:Hold Government Leaders personally responsible (4, Interesting)

Skye16 (685048) | more than 8 years ago | (#13773102)

While the parent references Bush, this works both ways. Actually, it works all ways. Delay? To the pit with him. Clinton? An oubliette. (Not for the adultery - I don't think that's illegal in DC - but for the lying under oath ("I did not have sex with that woman" (okay, maybe there's room for debate, as he only got a blowjob, but if a court does find him guilty, THEN to the oubliette)). I'm sure there are some Independents out there guilty of some things. Democrats too.

Personally, I think if you're in government, and you break the law, you should get double to triple the punishment you normally would. Why? Because you're held to a higher fucking standard, that's why. Don't like it? Don't run for office.

Not that any of this was really on topic...

Re:Hold Government Leaders personally responsible (0)

Anonymous Coward | more than 8 years ago | (#13773126)

"Some" jail time for Bush? Screw that, I want pictures of him being forced to hold another guy's dick by grinning security goons in a little no-name prison. I want pictures of Bush being attacked by dogs while green-shirted morons just watch. I don't want him to just sit in jail. I want the full-on Gitmo treatment. Hey, if the neocons think that crap is okay, let's let them take some of it. We won't even need to give him a trial!

Then Why Isn't Bill Clinton in Jail? (0)

Anonymous Coward | more than 8 years ago | (#13773145)

Nuf said!

Want me to pay 10x more attention when I code? (3, Insightful)

Anonymous Coward | more than 8 years ago | (#13772971)

Want me to pay 10x more attention when I code?

Pay me 10x more. And don't be in such a hurry for your product to get completed.

As the saying goes: Fast, good and cheap. Pick 2 (1)

denis-The-menace (471988) | more than 8 years ago | (#13773064)

Fast, good and cheap. Pick 2.
Fast and good= Expensive
Fast and cheap= Buggy code
Good and cheap= you better be patient

Not coders fault (4, Insightful)

Quasar1999 (520073) | more than 8 years ago | (#13772979)

It's usually poor management that forces the product to be out the door 6 months before it's ready. Either keep your job and release a buggy product or stick to your guns and get fired. I think it should be the company, not the individual developer held accountable. How the company handles things internally is up to them.

Re:Not coders fault (1)

werd life (94886) | more than 8 years ago | (#13773096)

This is exactly it.

Me: Do you want it done right, or do you want it done fast?

Product-guy: We want it fast.

This proposal is so far out there, there's not really any need to worry about it, but if it ever happened, watch US business (especially startups) grind to a halt.

Right. (4, Insightful)

Bozdune (68800) | more than 8 years ago | (#13772980)

Sure, let's sue the pants off anyone who does anything wrong. Let's make it impossible for anyone to create anything new or different. Cradle-to-grave protection, ensured by armies of well-intentioned and socially-responsible attorneys -- that's the sure way to economic success!

Re:Right. (1, Funny)

Anonymous Coward | more than 8 years ago | (#13773127)

ah - but if you lose the court case, then it's actually the lawyers fault so he gets to pay the damages....
sounds good to me!

what do you bet... (0)

Anonymous Coward | more than 8 years ago | (#13772981)

that this guy is a PM, and read something somewhere?

nonsense (4, Insightful)

moz25 (262020) | more than 8 years ago | (#13772997)

While I agree that accountability is a good thing, liability without major restrictions seems like a dangerous thing. I am a software developer myself and I give my clients the guarantee that all bugs they discover within 6 months will be removed free of charge. Since I have no knowledge of how much losses they will claim as a result from even trivial bugs (yes, some clients are greedy), accepting liability is not something I'm going to do.

Oh, yeah (2, Insightful)

ceeam (39911) | more than 8 years ago | (#13773000)

You can as well ban "software development" as a trade. After all - WTF? You get what you pay for. I say that your average "in-house" enterprise software system has complexity no less than Toyota Camry or something. The difference being that software would be developed by 1-10 men during a year or two whereas any other _industrial_ design costs (both in $$$ and "man/hours") much, much, much bigger. But who cares? Get back to coding, you idiots!

Re:Oh, yeah (1)

muellerr1 (868578) | more than 8 years ago | (#13773070)

People will sue the people who have the money to pay. You don't sue a peon coder because frankly, you're not going to get your damages even if you win.

Yeah, let's blame the developers. (5, Insightful)

killproc (518431) | more than 8 years ago | (#13773007)

I am currently the Development Lead / System Architect at my company. In my experience, the majority of "issues" and or "bugs" that I have seen crop up have been directly tied to poor requirements gathering by our "Business Analysts".

Often, it turns into a real pissing contest between the two groups. Usually, after testing reveals that the grand vision of the BA is a crock we will usually revert back to the original recommendation of the development group.

Yeah, let's blame the developers for the problems. That's the ticket.

Says it all (3, Funny)

ackthpt (218170) | more than 8 years ago | (#13773010)

ex-White House cybersecurity advisor

I didn't catch the ex- part the first look and thought "whaaaat?" as I know the current White House occupation force is very Microsoft Friendly and would never endorse such sentiments.

The consultants will love that. (3, Interesting)

Jaeph (710098) | more than 8 years ago | (#13773017)

It's not always a question of the coder, and a bug is not always a bug. In the example in the article, for all we know the specification called for a plain-text transfer, and the coder did exactly right.

So we'll have yet more wrangling over specifications, more walls between users and developers, and more CYA behavior. That'll be fun.


Dishing off the responsibility... (1)

inajamaica (906275) | more than 8 years ago | (#13773018)

This is an example of someone looking for someone else to point the finger at. While I would love to see more developers take their coding very seriously, the systems in question are way too large and typically developed in way-too-tight a schedule to every expect developers to monitor their implementations as cautiously as to personally be responsible for security vulnerabilities. And maybe the GAT testers should actually test their contractors' software instead of pushing it through.

Education system? (5, Funny)

JemalCole (222845) | more than 8 years ago | (#13773019)

He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system.

You know, I don't think it's entirely his fault that he's an idiot: I blame the education system.

Law Suits (2, Interesting)

Treacle Treatment (681828) | more than 8 years ago | (#13773020)

Look at it this way. There are already laws on the books that say I can sue company X for giving me a POS. Why go after the poor slob who works for the company. If I have a blowout on a tire on my car should I track down the guy on the assembly line that was working that day or go after they company whose prosess stinks?

Re:Law Suits (1)

Overzeetop (214511) | more than 8 years ago | (#13773083)

But you agreed to the EULA when you installed, which states that the software deveopers have no liability whatsoever, even if the software is unusable, prodcues faulty results, and causes you direct harm. I mean, you agreed to it, right? Right? Sounds like he wants to make those clauses explicitly null and void, Rather than them being theoretcially invalid, but requiring a great deal of cash and a bucket of luck to prove they're invalid only after a loss has occured.

Didn't this all start back with visicalc, or some other spreadsheet, which included the "if it makes a mistake and your building collapses due to a calculatino error it's not our fault" clause back in the early 80s?

What a dumb idea. (2, Insightful)

mjparme (9020) | more than 8 years ago | (#13773023)

So should we hold construction workers who help build a house that gets burglarized be held personally responsible?

If we hold devs responsible how about politicians? (1, Insightful)

digitaldc (879047) | more than 8 years ago | (#13773031)

If we are supposed to hold developers responsible for security flaws, why don't we hold politicians responsible when they give us false reasons for going to war, responding to disasters and evaporating budget surpluses?

In the world of corrupted politics today, it is hard to find ANYONE accountable for ANYTHING. Why should it be different for everyone else?

Just a thought.

nice sound bite (2, Insightful)

romeo_in_blk_jeans (782924) | more than 8 years ago | (#13773038)

The only thing that's happenening here is a nice sound bite that's engineered to sound good to the clueless masses but, ultimately, isn't meant to go anywhere or do anything. Basically, it's politics in action. "See? I'm tough on problems! I'm a go getter! I want to hold the developers personally responsible for the bugs they write!" Whatever.

It's the system, not the individual (5, Interesting)

coyote-san (38515) | more than 8 years ago | (#13773039)

While individuals can make stupid mistakes, the real problem is in the system and managers are ultimately responsible.

As a simple example, take a web application. The web people believe (reasonably or not) that the form fields will be cleaned up by the backend people. How do they know what's dangerous anyway? The backend people believe (reasonably or not) that the data will be cleaned up by the web people. How do they know the various encoding schemes used, etc.

Then some **** adds a cross-scripting exploit and compromises sensitive information.

Who's responsible, the developers or the managers? Even if the developers are paranoid, what about the errors introduced as everyone tries to handle conditions outside of their sphere of knowledge? What about the new security flaws introduced by that?

Bah (2, Insightful)

kpat154 (467898) | more than 8 years ago | (#13773048)

This is just what the software industry needs: Another business guy who has never written a line of code trying to tell the rest of us how to do our jobs. For all of the whining and crying about bad software you'd think they'd actually put the developers in charge for once. I can't speak for the industry as a whole but from my perspective 70% of the problems in the development world come from business types setting impossible deadlines and failing to listen to their developers.

OSS Projects? (3, Interesting)

psyon1 (572136) | more than 8 years ago | (#13773049)

How would this affect OSS projects? Would the development community be liable for damages caused by bugs in software? I have seen alot of free software that comes with a disclaimer waving all responsibility of the author, would that still hold up?

Chain of responsibility (5, Insightful)

91degrees (207121) | more than 8 years ago | (#13773051)

Hold the vendors responsible. They are responsible for 100% of all problems that are not the fault of the customer.

The vendor then holds the devloper responsible. They are responsible for 100% of all vendor bugs that are not the responsibility of the vendor.

The developer then holds the programmer responsible. He or she is responsible for 100% of all developer bugs that are not the responsibility of the developer.

It's the way it works everywhere else. If you have a faulty product, you take it back to the shop. They then take it back to the manufacturer and if it's a fault caused by a specific individual, they either sack him or train him properly. The purchaser would generally not sue the guy on the production line or the designer, even if it was their fault.

There are good reasons for doing things this way. It preents people from passing the buck. It means each entity along the line is wholly responsible for ensuring quality.

Liable for what? (3, Insightful)

mccalli (323026) | more than 8 years ago | (#13773057)

For bugs in the code you write? For bugs in the compiler which compiled it? For bugs in the operating system which ran the code? For bugs in the design of processor which executed it? For impurities in the particular processor the code was run with which caused it to malfunction at a certain clock speed?



He can't afford it (5, Insightful)

samjam (256347) | more than 8 years ago | (#13773059)

Few people on this planet can afford software developed to such a standard.

There will always be a market for "cheaper" software that is not guaranteed to such a level, and with support contacts instead, where developers will try a moderate ammount to fix problems as they arise.

From another perspective, the market is demanding of cheap software - not good software, which is why there is so much of it.


deliberate attack cannot be engineered against (0)

Anonymous Coward | more than 8 years ago | (#13773066)

I could kinda/sorta see holding someone liable for foreseeable events when he put out a piece of code as commercially usable (e.g., sells it). However, security attacks are basically not predictable, and are statistically fantastically improbable data patterns as random or mistaken inputs. Makes no more sense to hold a designer responsible for falling victim to this than it does to hold a building designer liable if someone fires artillery at the building and the building is damaged/destroyed.

Yes, there is an art of fortress design, but that has never been considered exact science. There are too many new ways people invent to attack fortresses. Same holds for code.

The kind of proposal here is a measure of the intelligence and understanding of the fed involved: low.

Give the customer the tools to decide (1)

hmmm (115599) | more than 8 years ago | (#13773068)

Developers, or rather their company, should be required to produce a security statement of somesort. This would set out the level of confidence they have that their software is secure. It would set out the development practices that they used to ensure security, and would incorporate a simple risk assessment.

It would then be up to the customer to decide what level of security they require. If the developer says "I don't care about security and wrote the software with that principle in mind", then a customer has no right to complain if they purchase the software and security issues arise. Alternatively, if a developer says that they develop with security in mind and adopt principle x, y, z and testing strategies a, b and c, then if a security bug arises that should have been caught by one of those activities the customer has a legitimate grievance.

Here's another idea... (1)

clevershark (130296) | more than 8 years ago | (#13773069)

In the same vein strong penalties should be imposed on customers who insist on having a lot of features added to a product at the last minute.

I assume next we will hold (1)

Kazrael (918535) | more than 8 years ago | (#13773158)

...automobile enginners personally responsible for break failure ...building architects personally responsible for a collapsing foundation Poor software doesn't just belong to one developer or even a small team of developers, it involves a poor business structure. This includes a lack of source control, poor time constraints, lack of a testing environment, etc. This guy is clearly nuts.

Dear Mr Schmidt (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13773075)

Dear Mr Schmidt,

Thank you for you insightful comments regarding security flaws in code. As a well regarded member of the 'cyber-security' community, I find your perspective to be quite fascinating.

No doubt, in your long years as the former head of security with this community's favourite software development company, Microsoft, you gained much valuable experience in developing secure code.

I am not entirely clear how you envisage this 'personal liability' working in practice. Should we perhaps lien a programmers personal property, dwelling and car as soon as he or she begins development of software? This will no doubt have the beneficial effect of attracting many new recruits to this fun and exciting industry.

Might I also suggest, whilst we consider matters of personal responsibility, that we hold politicians and their appointees personally responsible their actions. There is the small matter of the US national debt, that I am sure we could sit down and discuss at some length.

Kind regards,

Anonymous Coward

No problem (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13773080)

But... You no longer get to dictate any kind of timeframe for completion. It will be done when I'm certain that it's perfect.


Who Does He Say is Responsible? (1)

doomicon (5310) | more than 8 years ago | (#13773091)

A previous poster suggested that he wanted to hold companies responsible, however the way I read it, he wants to hold the individual developing the code personally responsible. Am I reading this correctly?

As I read it, Company A can still maintain their blanket "No Responsibility Whatsoever" EULA, and we'll just hold Joe Schmo (or Ackmed in this case) responsible.

Secondly, as a previous poster states. Most of these jobs are being shipped overseas, I'm not so sure that India or China is going to cooperate all that much if someone is trying to hold one of their citizens personally responsible for bad code.

Flawed Premise (2, Insightful)

GogglesPisano (199483) | more than 8 years ago | (#13773094)

To put the entire blame on the developer misses the point.

While programmer ignorance, incompetence and/or laziness certainly plays a role in the problem, there are other factors that should be considered:

(1) Death-march-style deadlines imposed by management, leaving no time for proper design, threat modeling, or testing.

(2) Security flaws in the underlying infrastructure (operating system, network, etc).

(3) Malice/stupidity of authorized users to bypass established safeguards.

Security is the responsibility of everyone involved in the creation, management, and use of a system, not just the hapless developer.

Read his bio... (0)

Anonymous Coward | more than 8 years ago | (#13773109)

This from a guy who thinks Pheonix University is where you can get that training... Hehe...

Sure... (0)

Anonymous Coward | more than 8 years ago | (#13773113)

Sure.. hold the developers responsible but first we need some provisions in the law.

  1. The developer can take all the time he/she needs to ensure their code is of the highest quality.
  2. The law should also state managers should stay off the developers backs to meet some arbitrary deadline.
  3. This law could also state that Managers must sign off on all "cut corners" and take full responsibility from that point on.

Grrrrr. (1)

omgpotatoes (916336) | more than 8 years ago | (#13773117)

Let us beat him.

I was going to bitch a little more, then I thought about it. He has a point, albeit a small one. The software industry on the whole does has a very tolerant attitude towards flaws in products. However that's just the free market at work - fixing bugs adds cost to product, to compete we cut costs, buyers don't mind bugs in most software, and software being a low personal-investment product for most people (not us), they won't shop hard to select for/reward bugfree software.

I've heard stories about how space shuttle software is proved, line-by-line, and therefore is completely bug-free but 20 years out of date and prohibitively expensive. There's a tradeoff involved. The real question is: should we be at the current tradeoff point? The free market doesn't always produce the optimal solution...

Plenty of Blame to go Around (1)

dcw3 (649211) | more than 8 years ago | (#13773121)

Certainly there might be a case for putting some blame on the coders, but I'm not going to argue the value of finding a scapegoat here. However, how about adding to this list...

1. The customer with constant requirements changes
2. The manager that expects the job done with an unrealistic budget or schedule.
3. The systems engineer that screwed up the design
4. The QA guy that didn't properly test, and find the bug.
5. The folks that all signed off on the formal inspection of that code
6. etc.

If you want rock solid code, you're going to have to pay for it with both schedule and budget. When people

Challenge accepted! (1)

nimid (774403) | more than 8 years ago | (#13773130)

I think this is a superb solution and it should be implemented immediately - after CEOs are held responsible for any wrong doing by their company...

Long term health issues
Bodily harm

...but wait it would appear they'd also be responsible for their coders producing bugged code... oh, dear. Perhaps this isn't such a good idea after all?

-1, troll (0, Troll)

fuzzy12345 (745891) | more than 8 years ago | (#13773140)


Yeah. Sure. (1)

selfsealingstembolt (590231) | more than 8 years ago | (#13773142)

What about holding politicians or managers liable for their misjudgements and mistakes? Or maybe hold journalists/reporters liable for their spelling and grammar mistakes?</sarcasm>

If the software is in some sort life-endagering system, that is already the case. But for a security breach? That would be like sueing a lock-maker for not being able to produce an unpickable lock.

If someone were obviously negligent, we could talk about it. But for a bug? People make mistakes. Software is more complex than any other tool ever invented. Combine those two, and it is inevitable that mistakes occur, unless you spend A LOT of ressources for testing and/or prooving the code correct. And that does not proove the design and requirements to be correct, only that the implementation matches the design.

Full of "Schmidt" (4, Insightful)

guitaristx (791223) | more than 8 years ago | (#13773147)

This is absolute bunk! Most often, programmers would have a 5-10% stake in responsibility when compared with the mountainous bureaucracy above them. Consider how often a non-technical exec overseeing a software development project will agree to a contract that is nigh impossible to complete on-time. The customer holding that contract begins squeezing testicles, placing pressure (by extension, through the bureaucracy) on the entire development process. The exec says, "You mean there isn't a programmer writing or debugging code this very instant!? What a crime! You're not doing your jobs properly!" The truth of the matter is that ~30% of the project timeline should be research and design. Without a good design, and resources on-hand, bugs creep in. It is impossible to test quality into software, it must be designed in.

Programmers don't draft contracts, they don't set deadlines, they don't make budget decisions, and certainly aren't responsible for failing to keep bugs out of a system that was (due to poor decision making in the aforementioned areas) designed to have bugs.

How about we blame ... (1)

SengirV (203400) | more than 8 years ago | (#13773154)

... The pointy hair types that change requirements at the drop of a hat for no apparent reason. When the impact is explained to these pointy hair types, their eyes glaze over and tell you to do it anyway.

But since when has logic ever been a factor in anything a politician(ex in this case) says or does?

Some Accountability is Good (2, Interesting)

LexNaturalis (895838) | more than 8 years ago | (#13773160)

I think I agree with the British Computing society moreso than with Mr. Schmidt. I think coders should be held responsible, within a company, for poor code that they write, but overall the company should be held liable for bad code that it ships. If a company fails to have proper QC, then it's the company's fault, not the fault of a lone coder who might have written an insecure subroutine. Most companies don't have single coders, and rarely is there a single coder who has full (100%) knowledge of the other 10,000,000 lines of code in the product. I think proper education, as stated in TFA, is a better idea. Why not send the employee to a security class if the coder continually writes insecure code? That'd solve the responsibility issue and the education issue. Then, the company would produce more solid code and everyone wins; especially the consumer.

Sarbanes-Oxley (3, Informative)

ihistand (170799) | more than 8 years ago | (#13773164)

I write financial reporting software for my company. Before anything is installed, even the most minor one-line bug fix, I have to sign a Sarbanes-Oxley statement of compliance. There are criminal consequences for not performing these steps properly. My QA person also has to sign this. My CIO is also held personally responsible, in that he/she could go to jail if something I wrote caused inaccurate financial reports to be released.

I suspect many people who write software, like myself, are already personally responsible. And so we should.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>