Expert: Hold developers liable for flaws

Former U.S. cybersecurity czar Howard Schmidt says coders should be held accountable for security problems in their software.

Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, a former White House cybersecurity adviser.

Speaking Tuesday at the SecureLondon 2005 conference, Schmidt, who is now CEO of R&H Security Consulting, also called for better training for software developers. He said he believes that many developers don't have the skills needed to write secure code.

"In software development, we need to have personal quality assurances from developers that the code they write is secure," said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.

"They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution. We need individual accountability from developers for end-to-end solutions so we can go to them and say, 'Is this completely secure?'" Schmidt said.

Schmidt also referred to a recent survey from Microsoft finding that 64 percent of software developers were not confident that they could write secure applications. For him, better training is the way forward.

"Most university courses traditionally focused on usability, scalability and manageability--not security. Now a lot of universities are focusing on information assurance and security, but traditionally, Web application development has been measured in mouse clicks--how to make users click through," Schmidt said.

Companies that develop software also have a role to play, said Schmidt, by checking that prospective employees have relevant security qualifications before hiring them.

The British Computer Society agreed that there should be accountability in software development but argued that companies should be held responsible for the security of the code written by their employees, rather than by the employees themselves.

"Howard has gone to an extreme by saying software developers should be held personally responsible for the security of the code they write, but we broadly agree with the direction he's taking. I know a lot of developers who would be very uncomfortable with that level of accountability, especially if that were legal accountability. It is a company's responsibility to make sure the security features of its software are tested with rigor," a security representative for the BCS said in an interview.

"There is also the point that code isn't static. Once purchased, it can be modified," the representative added, pointing out that this would reduce individual accountability.

In addition, many security attacks succeed because people have not installed the latest patches or have installed a system incorrectly.

Businesses themselves should accept some responsibility for the security of the software they purchase, the BCS representative said. "The software has to be shown to be fit for its purpose. This is essential for producing a trustworthy online environment," the representative said.

Tom Espiner of ZDNet UK reported from London.