A story on ZDNet on making code more secure quotes Howard Schmidt, former White House cybersecurity adviser as well as Microsoft and eBay security czar and now CEO of R&H Security Consulting, about holding developers accountable (not liable) for the code they write (the headline on the story, "Expert: Hold developers liable for flaw," is inaccurate and will be corrected). "In software development, we need to have personal quality assurances from developers that the code they write is secure," Schmidt said during a presentation at the SecureLondon 2005 conference. He cited studies showing that developers don't generally have confidence that their code is secure and lack proper training.
I talked to Schmidt when he returned from London this afternoon, and he gave me his take on accountability and on where liability fits into the picture. He believes that more rigorous inspection of code (the coder's work) is required before it gets into production. "An auto worker or garment worker is paid based in part on how well they do their job. When you buy clothing, you'll find an 'inspected by' tag with someone's name. It would be nice if when you develop internally or buy software you get 'inspected by' information, and if it doesn't meet standard you have a 1-800 fix me number to call," Schmidt said. He suggested that performance reviews take into account adherence to security models designed into the employee's code.
That makes sense, but how do you measure security in code? He said that there are currently enough tools, such as OunceLabs and Fortify, that can analyze source code before it's even compiled. In addition, penetration tests can be run. Internal facing Web applications could also be checked for vulnerabilities. Outsourced contractors and suppliers should also be held to the same standards.
Schmidt said that he is not in favor of assigning liability if a company (not the individual programmer) has done its due diligence, quality assurance and testing. "If something slips through, it's not a liablity issue. In the case of open source code, who do you hold responsible if there is a defect?"
In his view, liability suits related to software security don't have much benefit. If the government pays, taxpayers end up with the bill or the shareholders, and the company raises it prices to cover the costs or has to cut staff or employee pay, Schmidt said.
We've gotten used to letting companies, including one of Schmidt's former employers, off the hook, and paying hard earned money to patch and secure systems that have defective code. Microsoft didn't intend to make insecure software, which allowed malicious hackers to access the code and cost businesses collectively billions. As Schmidt says, educating programmers and having better disciplines around secure coding are critical, but companies, not just the individuals, have to be held accountable for their products. Suing them isn't the answer unless there is malicious intent or serious malfeasance, but taking your business elsewhere, if possible, is.