Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Insecure Code - Vendors or Developers To Blame?

Zonk posted about 9 years ago | from the i-blame-code-gremlins dept.

Security 284

Annto Dev writes "Computer security expert, Bruce Schneier feels that vendors are to blame for 'lousy software'. From the article: 'They try to balance the costs of more-secure software--extra developers, fewer features, longer time to market--against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales. The end result is that insecure software is common...' he said. Last week Howard Schmidt, the former White House cybersecurity adviser, argued at a seminar in London that programmers should be held responsible for flaws in code they write."

Sorry! There are no comments related to the filter you selected.

Errors and Omissions Insurance (3, Insightful)

geomon (78680) | about 9 years ago | (#13845476)

Great news for the E&O insurance industry! When programmers become liable for the mistakes (read: human nature) of their creations then everyone who codes for a living will have to consider buying insurance to hedge their risk, or find another form of work.

E&O is incredibly expensive. I looked into buying a policy when I started doing environmental work due to the possibility that I could be named a 'potentially responsible party' in an environmental enforcement action by the government. I side-stepped that need when I went to work for a large firm that could afford the E&O insurance. You can bet that cost was included in my chargeout rate.

That is what this effort will lead to for independent programmers. You will have the choice of buying E&O insurance, provided you qualify, and jacking your prices up to cover your costs, or you will have to work for a company that already has it. Hobby/free software enthusiasts are screwed.

I prefer the policy of 'caveat emptor'. If you install free software on your production machine without properly vetting it you are not only a fool but should bear all of the costs yourself.

Re:Errors and Omissions Insurance (4, Insightful)

RingDev (879105) | about 9 years ago | (#13845607)

You'll notice also that this does nothing to improve the security of the code. It just makes it more expencive.

-Rick

Re:Errors and Omissions Insurance (2, Insightful)

Godeke (32895) | about 9 years ago | (#13845669)

Give this man a dollar! E&O insurance actually increases the rate at which lawsuits are filed (since you have a better chance of actually being paid out). Now, the threat of having your E&O insurance premiums increase is a motivator, I don't think it is much of one as the scenario where you don't have E&O insurance and you are "self insuring".

Net result: not much additional motivation to secure code, more suits and thus costs increase to feed the lawyers instead of the process.

Re:Errors and Omissions Insurance (-1, Flamebait)

Anonymous Coward | about 9 years ago | (#13845618)

lick the SHIT FROM MY ASSHOLE you fucking pussy faggot

Re:Errors and Omissions Insurance (0, Flamebait)

geomon (78680) | about 9 years ago | (#13845664)

you fucking pussy faggot

In America, if I fuck a pussy, I am not a faggot.

IN SOVIET RUSSIA (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13845725)

In Soviet Russia,

the pussy fucks YOU

Re:IN SOVIET RUSSIA (1, Funny)

geomon (78680) | about 9 years ago | (#13845752)

Now why didn't I see that one coming?

Re:IN SOVIET RUSSIA (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13845793)

And in the US too, if your name is Roy.

Re:Errors and Omissions Insurance (1)

eln (21727) | about 9 years ago | (#13845636)

If you install free software on your production machine without properly vetting it you are not only a fool but should bear all of the costs yourself.

If you install ANY software on your production machine without properly vetting it, you are not only a fool but should bear all of the costs yourself.

Why not?! (1, Insightful)

orangeguru (411012) | about 9 years ago | (#13845491)

Almost all other professions have to take responsibility for their work and constructs - why are programmers an exception?!

Re:Why not?! (1)

geomon (78680) | about 9 years ago | (#13845536)

Almost all other professions have to take responsibility for their work and constructs - why are programmers an exception?!

Well, they aren't. Doctors and lawyers have certifying boards (here in the US) that can sanction irresponsible behavior, and the worst cases can result in lawsuits. Architects and engineers usually have to find an insurance carrier who will underwrite their work. That is what errors and omissions insurance is for. It is expensive and hard to qualify for.

Re:Why not?! (5, Insightful)

Anonymous Coward | about 9 years ago | (#13845594)

We're an exception because you pay us next to nothing and give us no time to work. You don't hire an engineer and then tell him to build a bridge in a few weeks.

Tell you what, I'll get licenced to write code and be legally responsible for it the day that customers are willing to pay about 8x what they current pay for the software, and can wait about 4x as long. Can you make that happen? I'm waiting anxiously, because *I* don't get to make those decisions.

So guess what...you want good code, hold the *EMPLOYER* responsible. I'll bet I suddenly find myself with all of the time I need to develop quality softare.

Re:Why not?! (0, Offtopic)

ak3ldama (554026) | about 9 years ago | (#13845737)

amen, mod parent up

Re:Why not?! (4, Insightful)

Quasar1999 (520073) | about 9 years ago | (#13845653)

As a software developer, I'll take responsiblity for bugs in my code and the damages they may cause, the day that politicians take responsiblity for their campain promises and the crap they end up passing as law later...

Re:Why not?! (5, Insightful)

cpuh0g (839926) | about 9 years ago | (#13845713)

Really? If your car's engine has a problem, do you sue the machinist who made the faulty part or just sue his company? Individual engineers who work for a company that creates software are responsible within the company, but should not be exposed personally. The company takes the ultimate responsibility for the products they produce. If they shortchange the development cycle in order to rush to market and the product is crap, the company takes the hit, not the engineer who wrote the code.

Re:Why not?! (1)

cerelib (903469) | about 9 years ago | (#13845716)

Say a building collapses because one of the supports was not welded/poured/constructed properly. Would it be a fair solution to hold the few construction workers that worked on that support responsible for any damage or loss of life? No, that is completely ridiculous. If a company sells a product it is their legal responsibility. The construction company has a right to fire those responsible, but they should not be able to sue them for mistakes.

Re:Why not?! (1)

GoatMonkey2112 (875417) | about 9 years ago | (#13845731)

Give me some specific examples other than doctors and lawyers. That's all I've seen anyone mention in this thread so far.

Re:Why not?! (4, Insightful)

timeOday (582209) | about 9 years ago | (#13845732)

Almost all other professions have to take responsibility for their work and constructs
They are? I never sued a farmer because I cut open a watermelon and it was bad inside. I never sued a GM engineer because my transmission only lasted 60K miles. I never sued a weatherman because his forecast was wrong. I never sued a chef because I had a bad meal.

My point is, there's a whole range of "bad things" that happen, from clearly negligent to uncontrollable, and a lot of stuff in between, and we make that judgement every day by assessing or not assessing blame.

To construct large, complex software systems without bugs (including security flaws) is beyond the state of the art. In fact, it is beyond the state of the art by definition: if we could make today's systems bug-free, we could, and would, make even more ambitious systems by tolerating some rate of errors. Conversely, with today's state of the art, if we placed correctness (including security) above everything else, we'd have to cut way back on what we attempt, and charge a lot more. The market has already decided that's the wrong approach.

Re:Why not?! (2, Interesting)

Anonymous Coward | about 9 years ago | (#13845798)

In no way can they hold me personally responsible. The company I work for makes all kind of sacrifices to win the bid. General quality is what is mostly sacrificed by having ridiculous deadlines and cutting testing time.

I would love to have luxury of being able to build properly secure solutions and perform extensive system testing, but it's just not possible. The same is true for proper documentation and being pro-active during maintenance contracts.

The worst part of it all is that the clients have gotten used to both the lower prices and the lower quality. We won't get work if we jack up the prices in order to provide the quality of work we really should be providing.

Plus, the company owns the product (4, Insightful)

kcurtis (311610) | about 9 years ago | (#13845863)

Most contracts result in the company owning all of the intellectual property. If the programmer can't own their work, then the owner should be responsible for it.

Besides, it is a company's responsibility to sell good products. If they sell a product that is defective, it is often because they didn't do sufficient Q&A on the product, or rushed it to market.

Bottom line is that if a car maker sells a car with a defective part (the tires lugs were defective), and it passes shoddy Q&A, it is the maker's fault, not the assembly line guy. If it doesn't pass Q&A, you can be sure Ford won't sell it -- but the same doesn't seem true of software.

Re:Why not?! (1)

Osiris Ani (230116) | about 9 years ago | (#13845771)

Almost all other professions have to take responsibility for their work and constructs
...and so are programmers. They're generally held responsible by their employers, the way it really should be.

Re:Why not?! (1, Troll)

pilgrim23 (716938) | about 9 years ago | (#13845783)

The Code of Hammurabi has one of the oldest product liability clasues in history: If a building colapses and kills people, the builder shall be stoned to death. One could make the punishment fit the crime in that way: The bug revealed your email addrss to spammers; force the programmer into reading spam all day....and MAKE him reply to all the unsubscribe links ;)

Re:Why not?! (1)

sedyn (880034) | about 9 years ago | (#13845799)

Well, let's see what would happen...

Assume I work for a company with 100 programmers working on the same code.

Now, of course, I can't know what's going on with all 100 programmers at the same time. They may do something against the specs, and because of this, they FUBAR my code that follows said specs. Am I responsible? Do you trust a jury on that one, when you have to argue your case against your fellow employee? And what if the specs are absolute shit, who gets the blame there?

Furthermore, what's the incentive to me, a programmer, to tell you what's wrong with your program if you are just going to point the finger at me and try to get me sued? Why don't my fellow programmers and I have a pact that all debugging hooks, all error outputs, everything of the sort doesn't make the final product. Now it's harder to collect evidence to sue with. How does that help the consumer when things do go wrong? Why would any of us stick our necks out for them if they are just going to try to shoot us down?

Oh, and what happens when I'm working with say, MS software, and it's MS' fault that my program crashes (let's say a memory bug in windows caused it)? Then you have no idea who to sue (let's assume all programmers create a web of ignorance) and little evidence to do it with. And what of malicious intent? I shouldn't be held responsible if you are TRYING to break your machine and succeed for the sake of suing me.

And lastly, if it does happen programmers will have to unionize or something similar so they have the power to control their own work. This would destroy the software industry, because, we would have to adapt the best testing methods possible, and be very formal about it. Now, I don't think the average person in the software industry has the time, or even the training to do full formal evaluations. Now you need a higher quantity and quality of programmers, that because of their union will eventually start demanding more benefits, have fun paying for that.

Of course, this is just my 2 cents, but we all know what happens when union mentality creeps in.

Re:Why not?! (3, Insightful)

hackstraw (262471) | about 9 years ago | (#13845827)

Almost all other professions have to take responsibility for their work and constructs - why are programmers an exception?!

Name them. At least those that do not require a minimum level of formal training or accreditation.

Also, this is a mute issue because the lawsuits follow the money. If I were to sue somebody for faulty software, would I waste my time, money, and lawyer expertise on suing the developer that makes say $80,000 a year that probably has no real capitol to speak of, or the multi-million dollar company?

Also, when I was a developer, I was not the one that decided when the product was done testing and ready to ship. If I can't make that decision, then I have no liability. Period.

Re:Why not?! (1)

DeusExMalex (776652) | about 9 years ago | (#13845860)

It might have something to do with the fact that while yes, the programmers do the actual coding, it isn't their code. The company they work for owns and sells the code. If the company wants to sell insecure programs then it isn't the programmer's fault. Also, it's not as if a programmer saying "$PROGRAM needs more deveopment and bug-testing" has ever wielded positive results.

Usually.... (0)

Anonymous Coward | about 9 years ago | (#13845501)

In my experience, its always time to market + cost that wins out. When a consumer buys a product, they don't [usually] choose a "Secure" product, they buy the cheapest one thats on the shelf.

What next? (1)

jonthegm (525546) | about 9 years ago | (#13845513)

I predict that Slashdot will have a headline next week that proclaims "Security flaws totally the fault of the end-user."

Re: It's already part of the common language (1)

User 956 (568564) | about 9 years ago | (#13845671)

I predict that Slashdot will have a headline next week that proclaims "Security flaws totally the fault of the end-user."

Why re-state the obvious? [urbandictionary.com]

/sarcasm

How about both? (2, Interesting)

8127972 (73495) | about 9 years ago | (#13845520)

Vendors (more specifically, the product managers, sales types, etc.) are under pressure to get proudcts out the door to get sales and keep sharholders happy. That forces developers to limit the amount of time they spend writing quality software so that they can keep the PHB's happy. Net result, crappy insecure software.

BTW, this topic seems vaugely familiar. Is this a dupe?

Re:How about both? (2, Funny)

eln (21727) | about 9 years ago | (#13845566)

BTW, this topic seems vaugely familiar. Is this a dupe?

It's not a dupe, it's an "encore presentation."

Re:How about both? (1)

schon (31600) | about 9 years ago | (#13845581)

Vendors are under pressure to get proudcts out the door to get sales and keep sharholders happy. That forces developers to limit the amount of time they spend writing quality software

Ahh, so you're saying that developers are to blame for the decisions of their managers?

Yeah, *that* makes sense.

Re:How about both? (2, Insightful)

whyne (784135) | about 9 years ago | (#13845616)

Today's corporate structure has more than 2 groups involved. Excrement rolls down hill. The analysts and advisers explain the value of shipping a release this quarter or year (profit now for the quarter, later for the next quarter, then for the year ... ). Upper management liens on middle management. Middle then liens on lower and supervisors. Then the developers work harder to bring it to life. Even if they do not like the product/method/model, a programmer may not be able to effect the outcome.

Re:How about both? (1)

Liselle (684663) | about 9 years ago | (#13845857)

Yes, it is a dupe [slashdot.org] . Had 800+ comments.

Kettle = black; (5, Insightful)

LaughingCoder (914424) | about 9 years ago | (#13845534)

"the former White House cybersecurity adviser, argued at a seminar in London that programmers should be held responsible for flaws in code they write."

OK. And to make it fair, let's let lawmakers be responsible for all the unintended consequences their legislation brings about.

Re:Kettle = black; (1)

dattaway (3088) | about 9 years ago | (#13845613)

Don't stop there. Let's hold CEO's accountable for all the jobs lost due to layoffs and relations overseas.

Re:Kettle = black; (1)

Moofie (22272) | about 9 years ago | (#13845786)

They are accountable...to their stockholders. I say we hold the stockholders responsible.

I think we should limit the limitation of liability.

E&O by company or by employee (4, Informative)

Godeke (32895) | about 9 years ago | (#13845540)

Let's see: do we hold employees at an auto factory responsible when unrealistic timetables means shoddy workmanship, or do we hold the employer who chooses speed to market over quality responsible? If that failure means the death of someone, do we sue the manufacturer or the guy who made the poor weld?

Large software companies have more in common with factories than they do with law firms or medical practices, two places where the liability *is* on the individual. The employees don't get to choose how much time is spent designing quality and security into the product, nor do they get to choose how much quality assurance is done on the back end (although that is a lesser solution to quality code, it is still necessary).

The day that every programmer is licensed the way that doctors and lawyers are is the day I will reassess this position, but for now programmers are *not* in the position to make the decisions that lead to quality code. I'm not convinced that licensing would ensure that, but without licensing coders are nothing more that code churners cranking to the beat of the employers drum.

Re:E&O by company or by employee (2, Interesting)

LaughingCoder (914424) | about 9 years ago | (#13845580)

Large software companies have more in common with factories than they do with law firms or medical practices

Actually, this is true ... witness outsourcing. When's the last time you saw law firms outsource?

BTW, how is this going to work if the programmer is a citizen of India? Are US prosecutors going to extradite him or her for inadvertant buffer overflows?

Re:E&O by company or by employee (2, Interesting)

MaceyHW (832021) | about 9 years ago | (#13845676)

I agree 100% that the company, not the individua should be the one holding the bag, but what happens to feelancers? Unless they can pass the liablity on to the customer when they hand over the code (or otherwise shield their personal assests) virtually no-one is going to be sure enough of their work to code outside the protection of a company.

Re:E&O by company or by employee (4, Insightful)

mrchaotica (681592) | about 9 years ago | (#13845846)

The day that every programmer is licensed the way that doctors and lawyers...
In other words, the day when they start making "software engineering" a real engineering discipline, and letting programmers become Professional Engineers [wikipedia.org] :
The earmark that distinguishes a professional engineer is the authority to "sign off" or "stamp" on a design or a structure, thus taking legal responsibility for it. (emphasis added)

insecure software (3, Informative)

unix_geek_512 (810627) | about 9 years ago | (#13845542)

Having been involved in software development I can confirm that most companies are more concerned about cost than the security of their code.

They would rather get the product out there quickly in order to produce revenue rather than hire more and better developers
to secure the code.

It is very sad....

Re:insecure software (1)

Amouth (879122) | about 9 years ago | (#13845751)

I would have to agree with this.. but some times as a coder you just can't think of everything - hell there is always some way you can screw something up.. atleast any software big enough to sell for real money... either it is going to take forever to get software out there or there will be bugs.. but then again nothing is perfect that is why we have diffrent versions.. we make it we use it we see something wrong we fix it.. it is the a$$'s that use it see something wrong and exploit it that need to be beat across the head with a brick, don't start charging me becuause i didn't think of every posiable way to breake something.. it just isn't humanly posiable

Welcome to business. (2, Insightful)

shdragon (1797) | about 9 years ago | (#13845547)

I'd be glad to take responsibilty for any code I write just as soon as they're willling to pay my new, updated fees. If it's really *that* important shouldn't the client be equally if not more concerned with cost as getting it done right?

it's all about EULA (5, Informative)

Thud457 (234763) | about 9 years ago | (#13845556)

That's ok, it's covered in the EULA -- the vendor's not responsible for anything. Since the developers are either employed by or are contractors for the vendor, they're similarly protected from any responsibility. So it boils down to caveat emptor -- test, test, and retest before accepting any software product.

Too bad you have to click through the EULA before you can test it, suckers!

No I don't! (0)

Anonymous Coward | about 9 years ago | (#13845720)

I have a minor child who is too young to enter into a contract install all my software for me. I click no EULAs.

Clickthrough EULAs aren't worth diddlyshit. There is no way of proving WHO clicked through.

A real EULA is a signed document like they used to have in the cave man days when a "computer" was a three story tall pocket calculator and its programs cost hundreds of thousands of dollars.

The only thing dumber than a EULA is anybody thinking they can ever be enforced. Which is why one has never been in court - the prople who write them know they'd be laughed out of court if they ever tried to sue.

(mind reading capcha="paranoid"... good work guys)

Howard Schmidt is incompetent. (0)

Anonymous Coward | about 9 years ago | (#13845561)

Howard Schimidt has probably never written a single line of code in his life. Fixing software does not require attorneys. It requires better education for developers.

What do you want Mr. Schmidt? A team of attorneys in each cubicle? Do you want programmers afraid to write new features for fear of being named in a a lawsuit if the code is buggy? Do you think trial attorneys do not have enough money as it is suing people over slip-and-fall cases in grocery stores.

Please stop your complaining until you show you actually know what you're talking about.

Re:Howard Schmidt is incompetent. (2, Funny)

geomon (78680) | about 9 years ago | (#13845571)

Please stop your complaining until you show you actually know what you're talking about.

You, sir, have single-handedly brought Slashdot to a stand still.

I hope you are happy.

Re:Howard Schmidt is incompetent. (0)

Anonymous Coward | about 9 years ago | (#13845813)

I doubt you'll find many people who have dealt with Howard Schmidt directly will disagree with me.

Why stop with coders? How about bureaucrats too? (1)

samuel4242 (630369) | about 9 years ago | (#13845563)

Last week Howard Schmidt, the former White House cybersecurity adviser, argued at a seminar in London that programmers should be held responsible for flaws in code they write."

And why not make the folks in Homeland Security responsible for the flaws in the infrastructure? At a recent congressional hearing for the FEMA folks, a congresswoman asked whether the folks at FEMA should be prosecuted for negligent homicide. She pointed out that a bus driver was being prosecuted. Perhaps it made sense to go farther up the chain.

Seriously, it's hard to hang individual coders for the same reason it's hard to hang cybersecurity advisors. Most coders work in teams and failures are often systemic. They're literally no one's fault. Well, perhaps the fault of the person who designed the system. But I can tell you that it's very hard if not impossible to anticipate everything that can go wrong.

This is where OSS comes in... (1)

Jonnty (910561) | about 9 years ago | (#13845564)

Vendors should love open source in this case, nice and cheap (usually) well developed. There's a case for making propriatory software developers liable - we trust they have checked the code - but you can check the code of OSS so if you want to sue the developer you should have checked the code. How can you be sure a product's ok if you can only see the results it produces.

Re:This is where OSS comes in... (1)

LaughingCoder (914424) | about 9 years ago | (#13845633)

Interesting analogy (and couched as yet another shameless plug for OSS). So then, following your lead, if I make a shoddy car, all I have to do is publish the design drawings and I'm covered? How about pharmaceuticals (here's the molecular structure, feel free to discover and fix any fatal side affects)?

Re:This is where OSS comes in... (1)

Jonnty (910561) | about 9 years ago | (#13845782)

Cars and pharmacuticals are different - the knowledge is much more easier and cheaper to aquire. If you are going to use software for anything that would warrant litigation if it failed then it should be your resposibility to check the code, hire programmers to fdo it, whatever - if you want to get propriatory software you can pay for the assurance they've checked it over. If you're going to use it for everyday stuff the current situation is fine, so there should be little need for change. Also, buggy code can be pinpointed quickly and easily by third parties, and thus repaired.

And taking it further... (1)

DigitlDud (443365) | about 9 years ago | (#13845567)

Users are to blame for putting up with crap and buying insecure software.

this doesn't sit well with me (3, Insightful)

fak3r (917687) | about 9 years ago | (#13845569)

  • "White House cybersecurity adviser, argued at a seminar in London that programmers should be held responsible for flaws in code they write
"The problem with that is when an employee writes code for a company, it becomes the companies' code, so it would follow that any litigation should fall on the company, and not the programmer. I would also argue that the programmer doesn't release the software, that's up to the company which *should* have testing and QA measures in place to find bugs and insecurity.

Re:this doesn't sit well with me (1)

GoatMonkey2112 (875417) | about 9 years ago | (#13845685)

Makes sense to me. Otherwise developers would be able to take their code with them when they leave the company.

Re:this doesn't sit well with me (1)

fak3r (917687) | about 9 years ago | (#13845800)

Right, I'm not arguing that point, but once the rights are the companies', shouldn't the liability be the companies' as well? I'm arguing 'yes'.

Pfft! You call this science? (4, Funny)

Quiet_Desperation (858215) | about 9 years ago | (#13845576)

Everyone knows that insecure code is caused by code rot and magical error pixies.

Next you'll be claiming that bad movies are the fault of the people making them, or that it's Britney Spears' fault she sounds like a howler monkey being run over by a bus.

Sheesh. Scientologists...

Secure code will never happen (4, Insightful)

digidave (259925) | about 9 years ago | (#13845585)

I'm sick and tired of hearing talk about holding vendors or developers legally responsible for writing insecure code. It's impossible to write any complex application and not have security problems.

The software industry operates more like the automobile industry: they know their cars will have problems, so they freely fix those problems for the warranty period. Software's warranty period is as long as the vendor or developer say they'll support that software.

The major difference is with closed source software, after the "warrany" period is up you can't usually pay someone to fix the problems. Open source provides a great car analogy, because after, say, Red Hat stops supporting your OS you can still fix it yourself or hire a developer to fix it for you.

This is why nobody would buy a car with the hood welded shut. For the life of me I can't figure out why anybody would buy software with the "hood" welded shut.

Re:Secure code will never happen (1)

hackstraw (262471) | about 9 years ago | (#13845893)

It's impossible to write any complex application and not have security problems.

Tell me about it. Its too cool that I can always find an exploit in my credit card company's computer system, my bank's computer system, and the IRS computer system so that I can simply raise my credit limit, lower my balance, put more money in my account, and I never have to pay taxes. Next week, I'm going to start a nuclear war just for fun, because the password on WOMPR is still "Joshua".

WOULD YOU LIKE TO PLAY A GAME OF CHESS?___

Address its insecurities (0)

Anonymous Coward | about 9 years ago | (#13845590)

I always try to reassure my code that it matters and that people love it in spite of its flaws. That usually helps to reduce my insecurities. So I try to show the same kindess to my code. ...as far as unsecure code.... ...uuuuh...

So What Bruce is Basically Saying... (1)

Evil W1zard (832703) | about 9 years ago | (#13845592)

Is that developers are looking to make a profit because that is what it comes down to when you do cost vs. benefit analysis... Its like when factories were required to put giant filters in place to help cut down on pollution and if they didnt they were find $1000 dollars... Well if it costs a million dollars to implement the pollution solution (yes that rhymes) then cost vs. benefit for a profit margin was simple for them (although the environment suffered...) Should there be penalties for bad security practices when developing code... IMO yes, but even with those penalties it still might not make a difference depending on what those penalties are...

Re:So What Bruce is Basically Saying... (1)

dzfoo (772245) | about 9 years ago | (#13845879)

You are correct, but I believe that the penalties suggested by Schnier and Schmidt are end-user lawsuits, which can be a very large expense on the corporations.

      -dZ.

Vendors or Developers To Blame? (1)

BorgCopyeditor (590345) | about 9 years ago | (#13845599)

Vendors or Developers To Blame?

I don't know anything about what causes buggy software, but years of training by the press, television, and movies have meticulously prepared my brain to accept the oversimplifying fiction that it must be one of them and not the other.

I go chop your dollar (0, Offtopic)

kinaidos (737595) | about 9 years ago | (#13845602)

In case you want to give their fight song a listen, here it is - I Go Chop Your Dollar: http://www.tlcafrica.com/I_go_chop_your_dollar1.mo v [tlcafrica.com]

Re:I go chop your dollar (0)

Anonymous Coward | about 9 years ago | (#13845695)

Ignoring the off-topicness of this, I'd like to give it a listen. But I'm afraid it's a carefully crafted hack that exploits a buffer overflow in Windows Media Player. What to do?

make candidates responsible for constituents (1)

demon4 (778594) | about 9 years ago | (#13845611)

reminds me of an article about making politcal candidates responsible for any illegal action their constituents perform (eg a supporter makes ballots, you get in trouble), kinda makes running for office less appealing

This is really stupid (1)

Spirckle (872312) | about 9 years ago | (#13845622)

That can only increase the move to outsourcing software. If the companies who put out shoddy software because refuse to implement any kind of internal controls aren't held accountable and US programmers become even more expensive, guess who gets the work and then who ya gonna sue? Somebody in china who makes $37 a day? right...

Put the burden of liability on the real reason buggy software gets shipped. Hint, it's not the developers 9 times out of 10.

I'm a lawyer... (1)

Anita Coney (648748) | about 9 years ago | (#13845632)

So I think everyone is financially to blame, other than my client of course.

How stable is stable? (1)

manarth (919856) | about 9 years ago | (#13845634)

We've long recognised that different computer systems need different levels of security and stability: real-time systems running Boeing auto-pilots don't need firewalls (at least, I assume they're not networked!) but do need high reliability and stability. Headlines like Nuclear power station brought down by Slammer worm [theregister.co.uk] shouldn't happen - and when it does someone needs to take responsibility.

However, the cost of developing a super-stable system is massive; whilst absolving all risk (as most EULAs do) is akin to passing the buck, liability for flaws needs to be allocated reasonably.

Worse isn't better, it's just 90% don't want it (2, Interesting)

Nevyn (5505) | about 9 years ago | (#13845648)

This all seems to be a rehash of the "worse is better" meme ... that those damn software programers/companies aren't doing what we want. The only problem is, it's all crack [artima.com] . Almost no customers, even now, are willing to pay more for "quality".

Yes, I think all other things being equal, people will go towards quality/security ... but it just isn't high on anyones list. Cheap, features, usable ... and maybe quality comes in fourth, maybe.

And, yes, there are exceptions ... NASA JPL obviously spend huge amounts of money to get quality at the expense of everything else, and I say this having written my own webserver because apache-httpd had too many bugs [and.org] (which comes with a security guarantee against remote attacks) ... but I'm not expecting people to migrate in droves from apache-httpd, it's got more features. The 90%+ market share have spoken, consistently, and they just don't care about the same things Bruce and I do.

I have a lot of respect for Bruce, but the companies really are just producing what most people want ... so stop blaming them.

Re:Worse isn't better, it's just 90% don't want it (1)

Coryoth (254751) | about 9 years ago | (#13845834)

This all seems to be a rehash of the "worse is better" meme ... that those damn software programers/companies aren't doing what we want. The only problem is, it's all crack. Almost no customers, even now, are willing to pay more for "quality".

That is slowly changing as the security and reliability meme becomes more common in the mainstream. In practice it was Microsofts horrible run with security, which got a lot of press time, which began to bring security into public focus. It's still not entirely mainstream, but people are more aware than they were, and more and more people are beginning to care.

Jedidiah.

Holy Schmidt!!!! (0)

Anonymous Coward | about 9 years ago | (#13845661)

Howard Schmidt can suck my left nut while I take a shit!

Developers and Vendors should share blame (1)

no13 (903519) | about 9 years ago | (#13845666)

So you think making level 5 DFD's and showing the clients is good for business? Did it help in securing the network enabled parts to be any safer? NOPE!

People are now coming UP from security by obscurity. This means that they're becoming security conscious. 2002-2005 witnessed the rise of spyware and spyware awareness together. Even MS, Symantec and McAfee call it a legitimate threat.

With the customers and users becoming more security conscious and aware, both developers and vendors turn a blind eye. So you think making level 5 DFD's and showing the clients is good for business? Did it help in securing the network enabled parts to be any safer? NOPE!

People are now coming UP from security by obscurity. This means that they're becoming security conscious. 2002-2005 witnessed the rise of spyware and spyware awareness together. Even MS, Symantec and McAfee call it a legitimate threat.

With the cusSo you think making level 5 DFD's and showing the clients is good for business? Did it help in securing the network enabled parts to be any safer? NOPE!

People are now coming UP from security by obscurity. This means that they're becoming security conscious. 2002-2005 witnessed the rise of spyware and spyware awareness together. Even MS, Symantec and McAfee call it a legitimate threat.

With the cus what was the last time someone actually TRIED to foolproof his code? Even if it was a bittorrent client...

NO developers pay ANY attention to this aspect, whether while coding, or while designing, or even when learning. (I can crash 100% of all programs created inside my univ. by first to third year students, within an hour... TC++ on DOS)

Vendors on the other hand, it has been correctly mentioned, that pay no attention to code security, stability, testing...

Result? Crappy code that dies on you.

Let's get Micro$oft bashing on..



It's partly the fault of compiler vendors like MS and borland too... NO tools are popularised to enhance stability, efficiency or security... It's ALWAYS new features this, connectivity that, .NET here, MSSQL there, J2EE over there...

offtopic... Silly mistake. Apologies. (1)

no13 (903519) | about 9 years ago | (#13845715)

damnit

stupid clipboard... sticky keys. :(

I'm really sorry...

WHY can't we edit our own comments, BTW?

edited comment... don't think you'll read it :( (1)

no13 (903519) | about 9 years ago | (#13845767)

So you think making level 5 DFD's and showing the clients is good for business? Did it help in securing the network enabled parts to be any safer? NOPE!

People are now coming UP from security by obscurity. This means that they're becoming security conscious. 2002-2005 witnessed the rise of spyware and spyware awareness together. Even MS, Symantec and McAfee call it a legitimate threat.

With the customers and users becoming more security conscious and aware, both developers and vendors turn a blind eye.

what was the last time someone actually TRIED to foolproof his code? Even if it was a bittorrent client...

NO developers pay ANY attention to this aspect, whether while coding, or while designing, or even when learning. (I can crash 100% of all programs created inside my univ. by first to third year students, within an hour... TC++ on DOS)

Vendors on the other hand, it has been correctly mentioned, that pay no attention to code security, stability, testing...

Result? Crappy code that dies on you.

Let's get Micro$oft bashing on..

It's partly the fault of compiler vendors like MS and borland too... NO tools are popularised to enhance stability, efficiency or security... It's ALWAYS new features this, connectivity that, .NET here, MSSQL there, J2EE over there...

This is simple (0)

Anonymous Coward | about 9 years ago | (#13845682)

Security flaws and bugs are the same thing from different angles. Both are functionality that was not intended, both come from the same cause (programming error/oversight), and both can be reduced through the same means: intelligent modularization, testing, and review.

The problem is that security has been far less modular than general design. Why is it a running application has the entire rights of the logged in user? Why can it access the internet (without software firewall), read/write any file, or do anything I as a user can do?

It shouldn't. It's as simple as that. It's like running a bank with a big thick wall to get in, with strict credential checks and armed guards, and meanwhile you expect the customer to conduct all of his business as he pleases and honestly once he's inside. (ooohh.. I'll just take a few thousand dollars and write down that I withdrew that much!)

Then you hold the customer responsible when he accidently screws up? That's insane. The problem when a particular server has a security flaw in it is that it can expose the entire machine: instead, it ought to expose _only_ the functionality the server needs to run.

But this also applies to -all- applications. A security hole in your webbrowser? Well, why the hell can your webbrowser run random commands on your machine without your permission?

As far as I'm concerned, the entire running model for OSes is going to be dramatically different in another few decades. When a program wants to open a new file, up will pop an -operating-system- file open -- requesting whether you, the user, would like to the application to read (or maybe write?) a file. When it wants to communicate over the IO, the OS will prompt you to allow it or not.

Mark

Re:This is simple (1)

Penguinoflight (517245) | about 9 years ago | (#13845811)

First, wow why would you post anonymously and use a signature?

Second, yes, there are problems with what rights a program is given by default in an operating system. This is mostly a problem with the operating system though, and not the software. If the software must report to the user itself, it could report something safe, and do anything else the author intended (Think pop-up windows with the close image that loads your browser with junk instead.)

Honestly I think that the best solution to this problem is already present. Multi-user operating systems allow users differnt rights, and you should run a program as a user that has only the rights it needs. Security problems then only arise in a single area(the operating system), and can be addressed more easily because a larger set of individuals use the operating system than the set of individuals using any random program.

employer is liable (1)

putko (753330) | about 9 years ago | (#13845692)

There are laws that say that the employer assumes the liability for the employees -- unless the employee is acting so bad (e.g. going out of his way to kill someone) that you then say the employee is acting badly. This is why, for example, Domino's contracts with drivers to provide pizza delivery services: Domino's doesn't want the liability for auto accidents. I guess the law could be changed, but that's basically how it goes now. I don't see how it could go any other way: e.g. Billy Gates tells you to ship, or you are fired. You then say, "But Billy, there's 10,000 bugs in windows -- people will suffer damages if we ship now?" Or do you say, "yes master, slink away and ship what you know is a bunch of crap?"

Coders responsible? (1)

dokhebi (89124) | about 9 years ago | (#13845700)

I agree and dis-agree on this. If a software creator is working on his/her own with no one else making the decisions, then that person is responsible for the code that is generated. On the other hand, a programmer in a cubicle farm is not responsible be he/she is doing what they are told, and they have people doing code reviews so the ultimate responsibly falls on the shoulders of the project manager.

In other words, it's always the boss's fault.

This is just my $0.02 worth...

RTF-REAL-A from wired (5, Informative)

dzfoo (772245) | about 9 years ago | (#13845703)

The real article by Bruce Schnier is in Wired:

http://www.wired.com/news/privacy/0,1848,69247,00. html [wired.com]

Its more interesting than the sound-bite-full ZD-Net summary.

      -dZ.

come on, really. (2, Insightful)

CDPatten (907182) | about 9 years ago | (#13845704)

I'm a developer and errors/holes in my code are my fault. Some, could in theory be the fault of the framework I use, but typically, its mine.

People really over complicate this topic. Nobody is perfect, and people make mistakes. It really doesn't matter what excuse I use (deadlines, bad company decisions, whatever) if its code I wrote, its my fault. Even if I identified the hole and my boss told me to skip it, I still published flawed code. If I was perfect, it would be bullet proof from the get go, and if my team was perfect the same would apply. My boss would never have to tell me to ignore the error/hole, because my UML model was flawless, and my execution of it was flawless.

I think this topic comes up because of one of two things; developers passing the buck, or blogger/writers trying to get some press. The fault is obvious, the solution however is far more difficult, and since humans will create the solutions, chances are it will be flawed too, and the cycle repeats...

Re:come on, really. (1)

Red Flayer (890720) | about 9 years ago | (#13845851)

" I'm a developer and errors/holes in my code are my fault.""

Yes, but fault != financial responsibility for the consequences of the errors. Who is taking the financial risk by publishing the software? It's the same entity that will be reaping the rewards of sales of that software, or of other revenue streams derived from distribution of that software.

"Even if I identified the hole and my boss told me to skip it, I still published flawed code"

Not really. You wrote it, but your company published it. It was the decision of the company to release the code into the wild; without that decision, the damages would not have occurred. It was also your company, not you, who entered into an agreement with the purchaser of the software (whether through a distributor or not).

Poor Linking (1)

adavies42 (746183) | about 9 years ago | (#13845709)

The link in the post goes to a LA Times summary of the article. The real article is at Wired [wired.com] .

Re:Poor Linking (1)

adavies42 (746183) | about 9 years ago | (#13845769)

OK, I must be on crack today--the lame article is at zdnet, not the LA Times. My point still stands tho.

You get what you pay for (1)

davidwr (791652) | about 9 years ago | (#13845714)

For most applications, it should be "caveat emptor" unless the vendor DELIBERATELY "put in" a back door or knowingly or recklessly made promises that weren't true. If you pay $99 for a multi-MLOC piece of code and someone finds a security bug after it's shipped, my first inclination is to say "too bad, let the market punish the vendor not the courts."

In almost all remaining cases, it should be the vendor who is responsible, not the developer.

The only time a developer should be responsible is if he's a corporate officer or licensed by the state. Licenses should be required only for "life and death" software like flight-control software, MRI machines, and other things that can kill someone if there is a bug. In those cases, the entire unit - the entire MRI machine - should be "approved" by a licensed professional.

Employer is Liable (1)

putko (753330) | about 9 years ago | (#13845718)

Sorry: I screwed up my formatting and punctuation. Here it is again, this time with feeling.

There are laws that say that the employer assumes the liability for the employees -- unless the employee is acting so bad (e.g. going out of his way to kill someone) that you then say the employee is acting badly.

This is why, for example, Domino's contracts with drivers to provide pizza delivery services: Domino's doesn't want the liability for auto accidents.

I guess the law could be changed, but that's basically how it goes now. I don't see how it could go any other way: e.g. Billy Gates tells you to ship Windows Clusterfuck Edition now, or you are fired.

You then say, "But Billy, there's 10,000 bugs in Windows CFE -- people will suffer damages if we ship now?" Or do you say, "Yes master," slink away and ship what you know is a bunch of crap.

What the.. (1)

MaXiMiUS (923393) | about 9 years ago | (#13845729)

For some reason I remember reading this on a different site a few weeks ago. Bad Slashdot repeating repeated news! Bad!

The vendor... (4, Insightful)

BewireNomali (618969) | about 9 years ago | (#13845730)

I don't code, but I don't think making developers responsible for faulty code is a good solution.

If I develop X for a company that then takes X to market, and X turns out to be faulty, company should be at fault. I am at fault for writing shoddy code, the effect of which will be that I get fewer future contracts or employment to do the same. Company is at fault for taking X to market, and as such should be resonsible for any liability due to X's shortcomings.

GM is responsible for a shoddy part on one of its vehicles, not the engineer that developed the part.

Sole proprietors who take their code to market should be responsible, but in that instance, the sole proprietor is both developer and vendor.

Languages with buffer overflows need to be avoided (5, Insightful)

applecrumble (910692) | about 9 years ago | (#13845738)

A good start to our current security problem would be to stop writing internet based software in languages that allow buffer overflows to occur (e.g. C, C++). 90% of security exploits are caused by buffer overflows. I've seen a figure like this in research papers, but it should be obvious to anyone from reading patch descriptions and current security alters. Writing computer programs in these types of languages and patching the errors as they are found is simply not a scalable solution. It essentially means that if you write a program to be used on a network, you have to maintain and patch it forever because you'll never catch all the buffer overflows it contains (e.g. the zlib bug, not a particular large library and it has been around for a long time). Picking a tool that doesn't even allow these types of errors is the obvious solution. In addition, we need to start using more granular security permissions for our programs. Blaming security problems solely on users is ridiculous. Could you explain to me why a program downloaded from the internet has read and write access to every file on my computer? Why it can open up network connections? Having root users is a start, but we need to be able to sandbox all the applications we download so they just aren't allowed to do anything bad. I see no reason why a user shouldn't be able to download and run any program they find, as they should all be sandboxed appropriately that they cannot cause damage.

Re:Languages with buffer overflows need to be avoi (2, Insightful)

mopslik (688435) | about 9 years ago | (#13845867)

I see no reason why a user shouldn't be able to download and run any program they find, as they should all be sandboxed appropriately that they cannot cause damage.

Sure, it may be a good start to remove some of the bugs, but who writes the sandbox? In what language? Is the sandbox itself sandboxed, to prevent being comprimised? If so, who writes that sandbox? In what language? Is that sandbox itself sandboxed, to prevent being comprimised? If so...

It's not an "obvious solution." It's an "obvious time-saver" when it comes to having to check for bugs.

Could you explain to me why a program downloaded from the internet has read and write access to every file on my computer?

I think that has more to say about your choice of operating system rather than the program itself.

It essentially means that if you write a program to be used on a network, you have to maintain and patch it forever because you'll never catch all the buffer overflows it contains.

I think you mean:

It essentially means that if you write a program to be used on a network, you have to maintain and patch it forever because you'll never catch all the programming errors, incorrect assumptions, and random unexpected behaviour introduced through unforseen run-time activity it contains.

It's the customers' fault (2, Insightful)

rsheridan6 (600425) | about 9 years ago | (#13845748)

If customers demanded secure software, then vendors would produce secure software. People instead buy software that's either the most familiar, easiest to use, cheapest, or has the most features checked off, so that's what vendors. That's why the utter pile of crap known as Windows 3.1/95 won while OS/2 and other more secure alternatives lost, and Windows continues to win over more secure alternatives today. Why should vendors spend their resources on something people have proven they don't care about?

If people really cared about security, MS would have been driven out of business a long time ago, and other vendors would have taken note of that and made sure the same thing didn't happen to them. We would have more secure, less featureful, less convenient, more expensive software. But people don't care that much, so that didn't happen.

I'll accept liability for the code (5, Insightful)

Todd Knarr (15451) | about 9 years ago | (#13845756)

As a programmer, I'll accept liability for bugs in the code... the day I get the same protection that a professional engineer gets: if I say I need X for the program to be properly designed/written/tested, any manager or executive or marketer who says otherwise can be thrown in jail. No mere job protection, no civil remedies, jail time for anyone who tries to overrule me, same as would happen to a manager who overruled the structural engineer's specification of the grades of concrete and steel to be used in a building.

Responsibility and authority go hand in hand. If they want to hand the the responsibility, they give me the authority to go with it. If, OTOH, they don't want to give me the authority, then they can shoulder the responsibility.

MOD PARENT UP! (1)

mrchaotica (681592) | about 9 years ago | (#13845886)

Not only is this exactly the correct solution to this problem, it also illustrates why anyone who calls themself a "Software Engineer" is full of it!

Plenty of Examples (3, Insightful)

jpowers (32595) | about 9 years ago | (#13845761)

You can make a case for this without worrying about impinging on the right to make free software. Peopleware really isn't worth the thousands of dollars it runs you. Solomon Accounting isn't worth the $100K it costs for a companywide install, Great Plains and larger packages like Deltek's Costpoint (actual install cost: $450K) are no better.

They have weak or no APIs, the built-in tools aren't able to perform the most basic tasks the users want, and the customized workaround take as much work as rewriting the software.

I think the guy from the article has a point, as there are many businesses that spend many times any of our salaries running commercial software, and the people involved in the purchase have no idea they're throwing bad money at subpar products. I'm not sure he's talking about something relevant to most slashdotters: even those of us who work in IT don't really get to pick the accounting software people use, the CFOs pretty much run what they know and we have to build accounting their own network around that package.

Who Do You Trust? (4, Insightful)

PingXao (153057) | about 9 years ago | (#13845766)

Who do you trust more?

Noted security expert or political hack, ... noted security expert or political hack, ... noted security expert of political hack?

It's not even close. On the credibility front Schneier has hundreds - no, thousands - of times more credibility on this issue than a political appoiontee out of the White House. Actually it's infinitely more credibility because anything times zero is zero where the White House is concerned.

Reliance on External Packages (1)

t'mbert (301531) | about 9 years ago | (#13845790)

Modern software development relies on an ever-expanding list of external factors. Case in point, our application ran perfectly fine until one day, it started crashing. The errors gave us no clue to the problem. As far as we could tell, the software was fine. Our software ran on top of a J2EE server, which runs on top of a JVM, which runs on top of an OS, which runs on top of hardware. It relies on database drivers, which connect over a network, which run against a database, which itself relies on the os, which runs on hardware. The J2EE server, of course, relies on the web server, and the driver to make the two work together. They all rely on the firewall for security, and the crypto flavor-of-the-year for HTTPS security.

All of these pieces can be culprits in the issue, but only one of those is in your direct control, that being your source code.

In the end, a MS patch against the OS caused issues in the JVM which caused issues in the J2EE server, causing our JDBC connections to lock up and fail. To find that we had to check every piece mentioned above. Swapping out to another JVM fixed the issue, but was risky because the source, which we purchased from a third party, was not qualified to run on the newer JVM.

Now imagine unwinding all of that in court. Who's fault is it? MS is just patching their OS. Sun can't be held liable for a bug in a JVM that's no longer being maintained, and was not certified to run on the newer OS patches, the J2EE server can't be upgraded because the app isn't built to run on it.

The fact of the matter is that you can't hold the engineer who designed the break pads responsible for a crash if the driver can switch out the engine, transmission, wheels, tires, diffs, etc., and can drive past the limits of the design of the automobile.

Ideas like holding software developers or development companies accountable will lead to far less software development, more expensive software, with very hard vendor-imposed limitations, like "by agreeing to this EULA you agree to run this software on a dedicated, vendor-approved machine, with the os of our choosing, and you may not patch the os or hardware drivers unless it is cleared by us."

No way. I'll take what we have.

Hrm, I'd say I partially agree.... (1)

ShyGuy91284 (701108) | about 9 years ago | (#13845821)

I am still in college for CS, so I'm not really in the loop enough to know about the real-world application of programming, but I am split on this subject. Is it the developers fault bugs are in code? Yeah. But could it be helped? Probably not. The nature of programming alone makes it seem that almost everyone probably misses a few bugs (that are probably caught during testing before the product goes gold), since people do not work like computers. And from what I've heard, the time constraints for many projects probably don't allow for debugging and testing as much as they should. Hard set deadlines in large projects seem like a rough thing to work with since you never know how programming is going to go, and in crunch time, proper debugging seems like it would be the easiest part to skimp on to meet the deadline.

Martha Stewart (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13845829)

Did a little time at Camp Cupcake, and for her, that was a pretty tough grounding. Not all these bastards are like her, though.

What I'd like to see is the entire management of corporations drug out into the town square and beat with cane poles. Get some deterrance in there at the top echelon of every company. Make every company decision a personal decision: "Am I prepared to get my fucking ass clubbing, out in public with a cane pole, because I rushed the development to meet Christmas season?"

By God, you'd see sons of bitches making better decisions when they're eating donuts at the meeting, or you'd see sons of bitches limping around. And you'd probably see a pay hike for every programmer in the industry, even the out-sourced Indian guys and girls.

Singapore does it right. This shit with the Supreme Court finding "evolving standards" and "World Opinion" needs to stop looking at those pussies in Europe, and take a look over at how Singapore gets the job done.

Security in Programs (1)

ncb000gt (865657) | about 9 years ago | (#13845852)

While security should be a focus and currently is not, it is not the programmers fault for the screw ups.
I saw one post mention that everyone else is responsible for their actions...Try making a computer run with lines of text...Programming is a bit different that lines of
[code]
Computer: go to internet
Computer: go to slashdot.com
[/code]
People don't understand what programming is like. While some people like it, have a knack for it, etc it is difficult to catch every possible problem.

Take an application, a mid-large sized application, that is like 50+/- thousand lines of code and really tell me that you can debug the entire thing in a timely way? It does become very cost-inefficient.

Now, I do agree that security should be a focus of software development companies but look from all sides. Security should be a huge concern of companies and it should be the companies responsibility to provide the resources for security efforts. NOT the programmer.

As the first post mentioned, if you start requiring programmers to hedge liabilities you will see many programmers drop from the field due to the cost alone and you will find that your rants about security will escalate due to the lack of good programmers...

The broader picture... (2, Insightful)

jferris (908786) | about 9 years ago | (#13845887)

...is that developers are not the only people responsible.

Although it may vary from shop to shop, where I am currently follows a pretty standard model:

  • Business Analysts gather requirements from the prespective users.
  • Project Management creates specifications
  • Specification are presented in a JAD session where they are gone over in a public discussion
  • Project Management and Business Analaysts work together to deliver a formal Design Document
  • Second JAD session to dissect Design Document and petition for any changes.
  • Development begins while Technical Writers produce any documentation in conjunction with Project Management and Developers.
  • Development performs Unit Testing to verify that the requirments of the specifications are met, as detailed in the Design Document.
  • Quality Assurance tests the entire functionality on top of what has been Unit Tested by Development.
  • Release is scheduled.
  • Repeated as needed (although usually more briefly) for bugs and maintenance.

There is a major misconception that a Developer is the "one stop" source for software, where that is rarely the case. Even when some of the first steps are handled by a single person (usually when the Developer is a Lead or a Programmer Analyst, in title) the process entails more than just a single person.

It is only a matter of time, if it hasn't happened already, that insurance companies start selling liability insurance to Developers, just like they sell Malpractice insurance to Doctors. There are companies out there that will claim the "collective effort" when the profits roll in, but will hang a developer out to dry when something goes wrong. Thankfully, I left that job for the one I am at now. ;-)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?