Hold developers accountable, not liable, for flaws

Hold developers accountable, not liable, for flaws

Summary: A story on ZDNet on making code more secure quotes Howard Schmidt, former White House cybersecurity adviser as well as Microsoft and eBay security czar and now CEO of R&H Security Consulting, about holding developers accountable (not liable) for the code they write (the headline on the story, "Expert: Hold developers liable for flaw," is inaccurate and will be corrected).


schmidtHoward_1.jpgA story on ZDNet on making code more secure quotes Howard Schmidt, former White House cybersecurity adviser as well as Microsoft and eBay security czar and now CEO of R&H Security Consulting, about holding developers accountable (not liable) for the code they write (the headline on the story, "Expert: Hold developers liable for flaw," is inaccurate and will be corrected). "In software development, we need to have personal quality assurances from developers that the code they write is secure," Schmidt said during a presentation at the SecureLondon 2005 conference. He cited studies showing that developers don't generally have confidence that their code is secure and lack proper training.

I talked to Schmidt when he returned from London this afternoon, and he gave me his take on accountability and on where liability fits into the picture. He believes that more rigorous inspection of code (the coder's work) is required before it gets into production. "An auto worker or garment worker is paid based in part on how well they do their job. When you buy clothing, you'll find an 'inspected by' tag with someone's name. It would be nice if when you develop internally or buy software you get 'inspected by' information, and if it doesn't meet standard you have a 1-800 fix me number to call,"  Schmidt said. He suggested that performance reviews take into account adherence to security models designed into the employee's code. 

That makes sense, but how do you measure security in code? He said that there are currently enough tools, such as OunceLabs and Fortify, that can analyze source code before it's even compiled. In addition, penetration tests can be run. Internal facing Web applications could also be checked for vulnerabilities. Outsourced contractors and suppliers should also be held to the same standards.

Schmidt said that he is not in favor of assigning liability if a company (not the individual programmer) has done its due diligence, quality assurance and testing. "If something slips through, it's not a liablity issue. In the case of open source code, who do you hold responsible if there is a defect?" 

In his view, liability suits related to software security don't have much benefit. If the government pays, taxpayers end up with the bill or the shareholders, and the company raises it prices to cover the costs or has to cut staff or employee pay, Schmidt said.

We've gotten used to letting companies, including one of Schmidt's former employers, off the hook, and paying hard earned money to patch and secure systems that have defective code. Microsoft didn't intend to make insecure software, which allowed malicious hackers to access the code and cost businesses collectively billions. As Schmidt says, educating programmers and having better disciplines around secure coding are critical, but companies, not just the individuals, have to be held accountable for their products. Suing them isn't the answer unless there is malicious intent or serious malfeasance, but taking your business elsewhere, if possible, is.

Topic: Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • accountable is fine;;; ---- liable for ?

    How many of the early cars built could go 1000 miles without breaking down. The engine when running made the sound of exploding fireworks. This was the early days of the automobile industry. Today it is a mature industry.

    For that matter take the garment industry. Cave men roamed the earth in their birthday suit. Then used leaves etc to cover their bodies. It has now progressed to manufacturing clothes as in industry.

    CEO's pay scale is in the millions and it goesup by 10% every year even for no performance. Burecrats at government offices get over $150K and excellent benefits for doing no work - just travelling around and trying to be a diplomat. The knowledge required to be a super competent programmer is tremendous. In return what does the programmer get - (jobs outsourced, long hours, ....).

    Software is very young industry. Sure things have come a long way. I'm all accountability. Burecrats who cant program a line, coming up with laws, solutions is a receipe for disaster.
  • I doubt there will ever be accountability without liability

    Where's the motivation?
  • Wrong end of the problem...

    The bill of rights, the department of commerce, and any other source of rights and wrongs cannot guarantee that every product you purchase will be suitable for how you use it, or free of defects 100% of the time.

    Office suite software is not antivirus software, so it should not be thought of as able to prevent malicious code from hurting your computer. Of course, if it does, all the better for you and the reputation of the vendor. When you buy a hammer, it is not guaranteed to drive every nail correctly, or even at all. In fact, there is no guarantee that your use of said hammer won't cause you serious and permanent injury. Why would you hold the machine operator that made the hammer responsible?

    Its fine to say that coding practices should be better, but you forget where more than half the problem comes from; the end user doing something they shouldn't.

    Phishing and virus spread through social engineering have NOTHING to do with the programmer. Educating the end user is more important than assigning accountability to the programmer.
    • There are other factors to take into account

      One is the function of the application and its support programs, like you said. The other is the users, and finally the vendor itself. Most of the times, the deadlines fixed to release a new product can induce problems. Like that old motto of "Release now, patch later".

      During the course of development cycles, flaws, errors and security problems are bound to occur when developing/extending an application, so rushing an application out the door without proper testing and enough time for its code to mature, I think also contribute greately to security concerns and problems.

      Not to mention those instances where backdoors (mostly for debug purposes) are left in applications and shipped that way. Maybe these were not intended to make into the final version of the product (or would they?), but the fact that some of them may be present imposes a potential security concern, as exploiters may find out how to take advantage of them.
  • Holding companies accountable

    The problem with holding companies accountable is that many of the vunerabilities exploited have to do with the interactions between programs and not the programs themselves. If Windows is made invunerable to viruses and some program like SPSS or ACT! is made invunerable to viruses but there is a vunerability exposed when the two work together, whose fault is the vunerability? In the end, the only way the Internet is going to be made safer from this nonsense is when computer manufacturers sit down with software designers and redesign hardware to be less prone to explotation. If the government wants to do something, they should organize such a meeting.
  • reality intrudes - but there are some things we can do

    I guess it's a good thing that Mr. Schmidt continues his practice of telling the world what it does not want to hear. But it has to take a lot of his energy to be on the "extremely paranoid" end of the security bell curve. And this seems to me to be an instance where he does not really appreciate the software development process.

    A well-managed software development process includes things like peer code review, regression testing and "total failur" load/performance testing. I don't think enough small companies are doing these kinds of things. I imagine Microsoft implements such practices but I worry that the peer review process has come down to "you scratch my back, I'll scratch yours."

    What really works against Microsoft is, in my opinion, the long-standing culture of, "it's good enough to ship if it works for all normal uses." There just isn't enough emphasis on the "what-ifs" - the dumb or malicious things users will do to the application.

    While the single-biggest flaw in all software - especially Microsoft's - is still the lack of bounds checking on buffers whose contents are filled via user input, the second-biggest is (again in my opinion) insufficient input validation. Both types of flaw are deeply rooted in programming culture.

    Believe me, I know - I've been a programmer for 30 years. Programmers are inherently lazy, and we look down our noses at the customers that use our products and think that they're doomed to be software users because they're not intelligent enough to be programmers.

    On the liability issue, there are software categories where the courts have upheld the notion of accountability and liability. Primarily the cases are in software that was marketed to fill a specific need and fails in the task and where the user of it incurs his or her own liability by using it. The most obvious example is accounting software that produces incorrect results in some cases, and I don't think even Excel has been immune from it.

    The counterpoint to the "software is imperfect" claim is that all software has to do what you say it does. You can't publicly claim the software performs some function then waive your liability in the licensing fine print. That many companies choose to change the software vendor, rather than seek justice, is likely the result of the cost of litigation being higher than the cost of re-engineering your application on a new platform.

    So that's the real world of software development. Ww won't solve the problems of code fitness by putting "inspected by #47" stickers on everything. We need to be willing to - and companies have to be willing to pay us enough to - develop well beyond the "works for me" standard of quality and to use programming paradigms that enforce or encourage correct coding practices.
  • More in depth info from Howard Schmidt

    As publisher of Howard's most recent book (The Black Book on Corporate Security), I've learned first hand how important this is. For those interested in getting more detailed info from Howard I'll be happy to send you the ebook version of his chapter for free. Just email info@larstan.net and mention "Howard Schmidt Chapter" in the subject.

    Best regards,
    Larry Genkin
    Larstan The Black Book on Corporate Security
  • Accountability is a Must

    It's all very well to say that the person who wrote the "Faulty" code shouldn't be hammered, however I do feel that some form of traceable accountability is definitely needed. The one great example of course is "Open Source", if it goes bad, or is not properly protected, where do you go?, who do you turn to? Or do we now begin to see the type of rip offs going on a Microsoft. If someone at Microsoft erred in their code and nobody spotted the error, guaranteed it will show up on our desktops.
    When we go back to correct a problem caused, "not out of Malfeasance" at Microsoft, you now have to submit to a rectal examination. All this, to correct an error caused by THEM?
    We didn't do it, we Bought the product in good faith and this is the payback? Does Microsoft then trace the code to find out exactly who wrote it, and how it's implementation caused the problems we are now facing? I don't know, from the perspective of an owner all I can say is that when something goes wrong, I have to resort to the Microsoft finger and I'm getting a little "sensitive" and very tired of it. Somebody, somewhere should certainly be held accountable.
    They advertise quality. Seems to me, that a properly running program with all codes in place could be interpreted as quality, yes?
    So by all means, go after the code writer and if malfeasance is discovered then take the proper action.
    Look at us now, we're discussing "Vista" and we haven't even begun to solve all of the XP Problems as of yet { MY GOD!! }.
    Makes you wonder doesn't it?
    Imagine the code in Vista, who is responsible,
    Ultimately, by Default, "Steve Balmer".
    Thank you
    Aaron A Baker
    • You accepted the license agreement

      The license agreement states any liability MicroSoft agrees to. If you do not accept the license agreement you can take the software back (yeah right) for a "refund". MicroSoft's Maximum liability is in most cases $5.

      Whether something gets traced back to a specific programmer or programming group, who knows. Someone has to review all the employees at MicroSoft. I am sure the ones that suck get fired. Now how do you go after them?
      sokushi jonez
  • Yeah right

    All this does is drive development offshore where accountabilty and liability are non-existant. The day you start piling the lawyers onto the development process is the day you heave this stuff over to someplace where there is nothing to sue. What needs to be done is to get people with a frigging clue in the front end of the development process where things are defined and nuke the marketing weenies after their usefulness has ended. Heck, you might even want to make the marketing and sale yimyaws accountable and liable if it traces back to them. Then you can apply this to everything. Everyone is accountable and liable for everything. And when the US is in a quagmire of its own filth of accountabilty, India or China can come in and buy the joint.
    sokushi jonez
  • Want to lose an easy $500.00?

    There is a hidden $500.00 dollar fee assessed on top of nearly
    every New and Used car purchase. It is not the transportation fee. It
    has nothing to do with the vehicle in a direct sense. It is an
    underhanded trick to make $500.00 dollars MORE than they need
    or should. Less than 3 % of the public is aware of this! To find out
    more please visit www.carwealth.com