On The Insider: Supermodels in NYC
BNET Business Network:
BNET
TechRepublic
ZDNet
185 TalkBacks

By Tom Espiner
Posted on ZDNet News: Oct 12, 2005 5:06:00 PM

Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, a former White House cybersecurity adviser.

Speaking Tuesday at the SecureLondon 2005 conference, Schmidt, who is now CEO of R&H Security Consulting, also called for better training for software developers. He said he believes that many developers don't have the skills needed to write secure code.

"In software development, we need to have personal quality assurances from developers that the code they write is secure," said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.

Related story
A legal fix for software flaws?
Changes in liability law could motivate firms to fix code, some experts say.

"They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution. We need individual accountability from developers for end-to-end solutions so we can go to them and say, 'Is this completely secure?'" Schmidt said.

Schmidt also referred to a recent survey from Microsoft finding that 64 percent of software developers were not confident that they could write secure applications. For him, better training is the way forward.

"Most university courses traditionally focused on usability, scalability and manageability--not security. Now a lot of universities are focusing on information assurance and security, but traditionally, Web application development has been measured in mouse clicks--how to make users click through," Schmidt said.

Companies that develop software also have a role to play, said Schmidt, by checking that prospective employees have relevant security qualifications before hiring them.

The British Computer Society agreed that there should be accountability in software development but argued that companies should be held responsible for the security of the code written by their employees, rather than by the employees themselves.

"Howard has gone to an extreme by saying software developers should be held personally responsible for the security of the code they write, but we broadly agree with the direction he's taking. I know a lot of developers who would be very uncomfortable with that level of accountability, especially if that were legal accountability. It is a company's responsibility to make sure the security features of its software are tested with rigor," a security representative for the BCS said in an interview.

"There is also the point that code isn't static. Once purchased, it can be modified," the representative added, pointing out that this would reduce individual accountability.

In addition, many security attacks succeed because people have not installed the latest patches or have installed a system incorrectly.

Businesses themselves should accept some responsibility for the security of the software they purchase, the BCS representative said. "The software has to be shown to be fit for its purpose. This is essential for producing a trustworthy online environment," the representative said.

Tom Espiner of ZDNet UK reported from London.

  • Talkback
  • Most Recent of 185 Talkback(s)
developer liability for flaws in software products
To the extent that software should do what it purports to do and developers warrant the product does that, I agree they should be held accountable, particularly if the product is sold to users.
<... (Read the rest)
Posted by: johnbarri Posted on: 10/20/05 You are currently: Logged In as: a Guest  | Login | Terms of Use
Bill Gates Has Lots of MONEY MONEY MONEY MONEY  RobertoSalazar | 10/12/05
On that same note  Loverock Davidson | 10/12/05
Aisle 5,220,300,574,107,229,333  DarbyOhara | 10/12/05
Just present your purchase receipt for your FREE download.  Update victim | 10/12/05
From all your posts  Sabz5150 | 10/12/05
From all my posts  Loverock Davidson | 10/12/05
looks like a complete list to me  linuxoverwindows | 10/13/05
glad you agree  Loverock Davidson | 10/13/05
you are correct  linuxoverwindows | 10/13/05
You get funnier every day  Sabz5150 | 10/13/05
so how much did you buy linux for?  linuxoverwindows | 10/13/05
Thank you  Loverock Davidson | 10/13/05
you are so very welcome  linuxoverwindows | 10/13/05
No one is listening....  DarbyOhara | 10/12/05
oops... I mean "Blue" pill  DarbyOhara | 10/12/05
Right.....!  techboy_z | 10/12/05
The man who invented the Internet?  Immanuel Tranz-Mischen | 10/12/05
i still laugh...  linuxoverwindows | 10/13/05
Gates is a Democrat  osreinstall | 10/12/05
demo, repub... dont matter  linuxoverwindows | 10/13/05
Differences  movie-crew | 10/13/05
That is true you 2 but Dubya is the first thing he said.  osreinstall | 10/13/05
Absolutely !!!  realitycheck101 | 10/12/05
Because they don't sell anything..  Patrick Jones | 10/12/05
Wrong !!!  Update victim | 10/12/05
And...  Patrick Jones | 10/12/05
door locks vs. ninnernet  linuxoverwindows | 10/13/05
Software, license or code, should be  bjbrock | 10/12/05
rotflmao  linuxoverwindows | 10/13/05
I think they should hold...  ju1ce | 10/12/05
just as soon as.....  JoeMama_z | 10/12/05
Tech dominence  DemonX | 10/12/05
If we lose our competitive edge...  Immanuel Tranz-Mischen | 10/12/05
The government and for profit industry  bjbrock | 10/12/05
really?  JoeMama_z | 10/12/05
Yes. Really.  Immanuel Tranz-Mischen | 10/12/05
well, open source vs. big money  linuxoverwindows | 10/13/05
immanual and linuxover....  JoeMama_z | 10/13/05
Didn't say it was easy.  Immanuel Tranz-Mischen | 10/13/05
Im not saying....  JoeMama_z | 10/14/05
Of course they should be!  BitTwiddler | 10/12/05
That dripping sound you hear is lawyers salivating...  EJHonda | 10/12/05
End Result: Rich Lawyers and Insurance Companies  dunraven | 10/12/05
Or just maybe we would get good secure software.  Update victim | 10/12/05
I believe that programs must be better designed, but...  JohnRoche | 10/12/05
a good leader  linuxoverwindows | 10/13/05
Leaders don't get punished  movie-crew | 10/13/05
Oh yeah, really...so what are you going to do  JJ_z | 10/12/05
Only after OSS is modified and the result  bjbrock | 10/12/05
The mind boggles...  Compute_This | 10/12/05
HA!!! I Said This In The Last Article  itanalyst | 10/12/05
And haven't written a line of code since.  No_Ax_to_Grind | 10/12/05
Who Cares If I've Written Any Code Bitty??  itanalyst | 10/12/05
Talk is cheap, doiung is much harder...  No_Ax_to_Grind | 10/12/05
Wow, Just Like You  itanalyst | 10/12/05
LMFAO  itanal | 10/12/05
Message has been deleted.  itanalyst | 10/13/05
what is a doiung?  linuxoverwindows | 10/13/05
Message has been deleted.  itanalyst | 10/13/05
Detroit  movie-crew | 10/13/05
Software Seldom Kills Anyone?  itanalyst | 10/13/05
Wow, You Still Write Code???  itanalyst | 10/12/05
Can We Grandfather This Back To 1995?  itanalyst | 10/12/05
Need it much earlier to catch all the Unix issues.  No_Ax_to_Grind | 10/12/05
Absolutely!  itanalyst | 10/12/05
Nope, LAMP has proven that to be wrong.  No_Ax_to_Grind | 10/12/05
HELLO?? LAMP IS FREE  itanalyst | 10/12/05
Doesnt matter.  vdraken | 10/12/05
Re: Doesn't matter.  cobalt54 | 10/12/05
Let's just punish those we don't like!  osreinstall | 10/12/05
No, It Doesn't Work That Way  itanalyst | 10/12/05
You are wrong again  osreinstall | 10/12/05
You're wrong on so many levels...  John Zern | 10/12/05
Oh, And I Said Stable, NOT SECURE  itanalyst | 10/12/05
Take your system to someone that knows how.  osreinstall | 10/12/05
Well Axey... gotta level with you  Sabz5150 | 10/12/05
Just hold security IT people responsible.  osreinstall | 10/12/05
Get your wallet out!!!  No_Ax_to_Grind | 10/12/05
I'd be happy to.  Immanuel Tranz-Mischen | 10/12/05
YOu might, but few would.  No_Ax_to_Grind | 10/13/05
You'd pay $1500 for Windows XP?  voska | 10/13/05
I never said I'd buy Microcrap  Immanuel Tranz-Mischen | 10/13/05
Huge deterrent to open source developers  Real World | 10/12/05
Unless the law set limits to refund of purchase price. (NT)  Update victim | 10/12/05
People would think that was a joke  Mark Miller | 10/12/05
I can't see how they can do that...  ju1ce | 10/12/05
Doesn't matter  BFD | 10/12/05
On the other hand, its open source...  Root User | 10/12/05
Bad argument, IMO  IT Scion | 10/12/05
Good point, And the other problem there  John Zern | 10/12/05
Re: Bad argument, IMO  Root User | 10/13/05
Possibly but  IT Scion | 10/13/05
Correction  IT Scion | 10/13/05
Re: Possibly but  Root User | 10/13/05
A couple of issues.  IT Scion | 10/13/05
Open Source would be immune  voska | 10/12/05
Hmm  Real World | 10/12/05
Right you are  voska | 10/12/05
A lot of customers don't want to look at the source code  Mark Miller | 10/12/05
That argument then would kill OSS.  IT Scion | 10/12/05
Quite teh opposite actually  voska | 10/13/05
Quite the opposite actually  voska | 10/13/05
That's an assumption, IMO  IT Scion | 10/13/05
There are other factors too.  IT Scion | 10/13/05
True, we can only speculate on what would happen  voska | 10/13/05
You're right...everyone would lose in the long run.(nt)  IT Scion | 10/13/05
What an ignorant assertion  twriter | 10/12/05
Exactly  IT Scion | 10/12/05
I Would Approve Of Warning Labels On PCs Or Software  itanalyst | 10/12/05
Great, just what this country needs  Real World | 10/13/05
Developer's under scrutiny?  ju1ce | 10/12/05
Protecting the small guy  techboy_z | 10/12/05
Unions  movie-crew | 10/13/05
Unions  IT Scion | 10/13/05
Maybe that's why Howie's the *former* czar...  techboy_z | 10/12/05
Even if people and companies were willing...  Anton Philidor | 10/12/05
Here is my suggestion for this problem  Kamakazii | 10/12/05
Your suggestion is waaaaaay impractical.  wolf_z | 10/12/05
Certification  tty0 | 10/12/05
Almost, but not quite.  Jake Danger | 10/12/05
Is it even possible?  CobraA1 | 10/12/05
Yup  IT Scion | 10/12/05
Don't think so; could be wrong  zztong | 10/13/05
I wish I could meet the guy  Yensi717 | 10/12/05
Most opposed to this are developers.  bjbrock | 10/12/05
Bad ones.  Immanuel Tranz-Mischen | 10/12/05
I can't see how this makes it  Real World | 10/13/05
Okay. Let me connect the dots for you.  Immanuel Tranz-Mischen | 10/13/05
No comparison.  IT Scion | 10/13/05
You're aware  Real World | 10/14/05
Good ones  movie-crew | 10/13/05
They know whereof they speak  movie-crew | 10/13/05
I Thought The EULA Addressed This?  itanalyst | 10/12/05
Not...  jasonp@... | 10/12/05
All software has bugs, but sheer number of bugs in some ...  Bit's_Conscience | 10/12/05
Have a waiver in case customer chooses a less security  Mark Miller | 10/12/05
Hold security consultants liable for flaws  barefoot_skidude | 10/12/05
One small problem.  Immanuel Tranz-Mischen | 10/13/05
Hold Microsoft responsible? Try capital punishment:  HypnoToad | 10/12/05
It is ONLY reasonable to expect DECENT quality  michael_t | 10/12/05
Flaws  benf_z | 10/12/05
Software development is not a science or full engineering discipline  Mark Miller | 10/12/05
Good show: buying a  michael_t | 10/12/05
who determines what is an error and who's at fault?  John Zern | 10/12/05
Just stating facts  Mark Miller | 10/13/05
Banks?  movie-crew | 10/13/05
Interesting info.  Mark Miller | 10/13/05
"Hold EVERYONE liable for flaws"  John Zern | 10/12/05
A really terrible idea  buzzl | 10/12/05
Absolute Nonsense  ryxr30 | 10/12/05
The precedent is well established.  Immanuel Tranz-Mischen | 10/13/05
The difference  Real World | 10/13/05
You're wrong.  Immanuel Tranz-Mischen | 10/13/05
Which is it?  Real World | 10/14/05
You're being ridiculous.  Immanuel Tranz-Mischen | 10/15/05
What's with all the analogies?  IT Scion | 10/14/05
c and c++ are part of the problem  hipparchus2000 | 10/13/05
Drivers?  movie-crew | 10/13/05
yes i am serious (.net or java byteccode compiled native)  hipparchus2000 | 10/13/05
Complexity, deadlines  movie-crew | 10/13/05
i disagree  hipparchus2000 | 10/13/05
Moved for speed  movie-crew | 10/13/05
"writing stable, safe code takes time" with my model unsafe code impossible  hipparchus2000 | 10/13/05
and then there is hardware partitioning  hipparchus2000 | 10/13/05
Hold programmers liable for flaws  tspencer@... | 10/13/05
over simplistic  hipparchus2000 | 10/13/05
High horse  bmonster | 10/13/05
Let's hold Bureaucrats responsible for their bad policies  Steven Rogers | 10/13/05
Even better  movie-crew | 10/13/05
Sure. Just as soon as I can sue...  SamBirnbaum | 10/13/05
This is a really great idea.....?!?!  rock06r | 10/13/05
rock06r, nice rant...but u must be high on the  btljooz | 10/13/05
ZDNet asks:  btljooz | 10/13/05
Good question.  IT Scion | 10/13/05
Also forgot  IT Scion | 10/13/05
Message has been deleted.  IT Scion | 10/13/05
Just Like the Government!  jimc52@... | 10/13/05
Read Item 165 Below  jimc52@... | 10/13/05
YES!  jimc52@... | 10/13/05
Security Costs Extra My Friend!  wildranger | 10/13/05
I think the companies should be  Arrg | 10/14/05
Should be held liable if  starworth1 | 10/14/05
And experts should be held accountable  Boot_Agnostic | 10/14/05
Your example wouldn't hold up in court!  tatumx | 10/14/05
developer liability for flaws in software products  johnbarri | 10/20/05

What do you think?

advertisement