Reply to Message

Sounds good in theory

wolf_z 11th May 2009

No so much in practice.

Using the toaster analogy, would you expect the toaster to work underwater? How about a US toaster taken to Europe or Japan? Oh, and what do you mean this toaster can't handle bagels? It's a toaster, innit?

Oh, some SOB used a *toaster* to smash open my car window! Quick, sue General Electric for making a dangerous product! I bet that thing could *kill* somebody if you hit them with it...

Most significant software starts at a line count of at least 100,000 lines of code. Now lets say there's a law that says developers are responsible for software security flaws.

I create a new program and market it, using best security practices. It's immune to every known security hack.

Then a week after it goes on sale some twisted genius comes up with a bizarre *new* attack nobody ever heard of. It's brilliant, and cuts through most security like swiss cheese.

Should I be responsible because I didn't forsee a mad genius's new hack? According to this proposed law I would be.

How's that fair again? Of course such a law would favor big corporations, who could afford the massive testing you'll need to comply. Guess who's now screwed?

Open source, for one. The little mom and pop shops for another. Individual programmers who can't possibly afford the efforts required.

Oh, and innovation? Forget it. Everybody's too busy locking things down, pulling *out* features that are too hard to secure.

Best practice, security wise. If a feature's *NOT* there you can't attack it. Make developers responsible for security breaches and that's exactly what they'll do. It's what *I* would do, and I'm a developer.

Of course, programs will be *very* secure. They'll cost 5 times as much, be delivered in 10 years as opposed to 6 months, and not do a whole lot--but by God you won't be able to break them with a sledgehammer!

That the software landscape you want?