Hold Developers Responsible!

[QuadShot]

It's about BLOODY time!! I think this is great!
http://www.techrepublic.com/blog/european-technology/should-developers-be-sued-for-security-holes/1109?tag=nl.e224

[Dangelus]

Interesting article. I can't see it ever happening though. If a precedent was set then where would it end?

I think if it did there would be a lot less software as a result.

[QuadShot]

Well Dan, that's one theory. I think it's a great idea. Something should be done, can anyone deny that?

[X]

It would be like holding road builders accountable for drunk drivers killing someone. The person that should be sued is the person that commits the crime, not the creator of the product.

Even the first line of the article paints the picture wrong. If you eat a poisoned burger you sue the restaurant that sold it. You aren't suing the butcher, the baker, or the farmer. You're suing the place where you bought it. If we were to follow that example, we'd have to sue the store where  we brought it ( seller) or the prepare-er (us for putting it on our systems). 

[QuadShot]

I disagree. I think that if someone creates something with the intent of selling that thing, they are responsible to make sure they've taken precautions that ensures that thing is safe and viable. I'm not saying that the article exactly what we need, it is flawed. But it's a launching point.
And X, to your point, if I eat a poisoned burger, I will hold accountable everyone who had anything to do with that burger, as would you and everyone else. Perhaps a better example would be, if you ate a burger and it was undercooked, then you got very ill, then you sue the restaurant because they WERE directly responsible for your illness. Right? They were sold the raw meat. They know how to cook it, in fact, they have the tools to ensure that the meat is cooked to the proper temp. But they neglected to do so. Maybe the instruments to measure the temp were faulty, but does that matter? Nope. Because they have a duty to ensure that product they sell is safe. I think the same should apply to developers. If you develop software for mass consumer purchase, it's your duty to perform all the tests that are reasonable to ensure there are no safety holes  in that software that could allow a malicious person take advantage of.

I would propose that certain standards be put into place. If you create software that I buy and someone can break into and steal my info, YOU are responsible to defend your creation. I have the right to challenge you in a court of law to see if you did your due-dilligence according to the guidelines (whatever those may be).

[KingIsaacLinksr]

I could only agree if the developers were proven to be malicious, sloppy or lazy with their coding and left security holes wide open for anyone to get into. How your going to prove that, I haven't the foggiest clue and that's troubling. This could lead to a lot of problems for developers and I think expecting developers to see all possible holes and leaks in their software is asking way too much. Someone will always find a way. Their jobs are stressful enough as it is.

[KingIsaacLinksr]

Also, comparing software development to making food is hardly fair. We have standards of food and safety practice and they are relatively easy to follow. Because food and what causes food to go bad doesn't really change. I don't think we could have the same for software development because the world is constantly changing and advancing.

[billybob476]

I guess the question becomes how would you decide when a security hole is caused by "sloppy coding"? Many security holes take very convoluted and complex exploit paths which are frankly never even fathomed of by developers.

If a software company purposefully inserts a back door which is exploited then sure, prosecute them but where does that end? I know when I build something my intention is to make it as secure as possible. I go to great lengths to accomplish that. Do I still put out code that has errors and potential holes? Sure I do.

All I'm saying is that no matter who you are or what company you work for, you will never put out software that is error or security-hole free. It's like running a factory and saying you will never have an accident. It's a nice goal to have, but it's not realistically possible.

[Bryancd]

""The question is 'Are they being negligent?'. The usual test is 'Are they applying contemporary standards to the quality of their work?'," he says, adding that known flaws can be exposed by running code through commonly available security tools and validation suites."

This quote is kind of where the rubber meets the road on this. We also need to consider caveat emptor, we as consumers assume responsibility  for fair use of a product. Assuming we are not forced to use a software application there need to be shared responsibility between buyer and provider.

[QuadShot]

I could only agree if the developers were proven to be malicious, sloppy or lazy with their coding and left security holes wide open for anyone to get into. How your going to prove that, I haven't the foggiest clue and that's troubling. This could lead to a lot of problems for developers and I think expecting developers to see all possible holes and leaks in their software is asking way too much. Someone will always find a way. Their jobs are stressful enough as it is.

Well, how do you prove the restaurant who served you the undercooked burger was at fault, and Tim why would a developer need to be proven malicious? That's not the question here. The question is negligence.

[QuadShot]

Also, comparing software development to making food is hardly fair. We have standards of food and safety practice and they are relatively easy to follow. Because food and what causes food to go bad doesn't really change. I don't think we could have the same for software development because the world is constantly changing and advancing.

Yeah but Tim, do you think that was ALWAYS the case? It's probably hard to imagine for any of us, since we've been enjoying the "fruits" of other's labors for generations, but once upon a time, the food industry had no standard practices in place. They had to be developed, as I'm suggestion this needs development.

[QuadShot]

I guess the question becomes how would you decide when a security hole is caused by "sloppy coding"? Many security holes take very convoluted and complex exploit paths which are frankly never even fathomed of by developers.

If a software company purposefully inserts a back door which is exploited then sure, prosecute them but where does that end? I know when I build something my intention is to make it as secure as possible. I go to great lengths to accomplish that. Do I still put out code that has errors and potential holes? Sure I do.

All I'm saying is that no matter who you are or what company you work for, you will never put out software that is error or security-hole free. It's like running a factory and saying you will never have an accident. It's a nice goal to have, but it's not realistically possible.

Right, but (and this is as I feared), those in favor of "free tech for everybody" is taking this WAY out of context. What I'm proposing, and I'm sure the subject in the original article is, is to produce a (for lack of a better term) standard checklist for developers to heed to. Whatever that list may be, developers must follow it and "CYOA". IF, they can prove they've adhered to the safety list (or whatever it would be called), then they could have a successful defence.

[QuadShot]

"“The question is ‘Are they being negligent?’. The usual test is ‘Are they applying contemporary standards to the quality of their work?’,” he says, adding that known flaws can be exposed by running code through commonly available security tools and validation suites."

This quote is kind of where the rubber meets the road on this. We also need to consider caveat emptor, we as consumers assume responsibility  for fair use of a product. Assuming we are not forced to use a software application there need to be shared responsibility between buyer and provider.

That goes without saying. I'm not suggesting that the person who takes a program and uses it for purposes other than it was intended should have a legal leg to stand on. I'm talking about the person who uses a program as it was intended, who suffers from "possible negligence" would have recourse. Bryan, one is not forced to drink a cup of steaming hot McDonald's coffee and spill it on themselves, yet, and we've seen this, it is possible and quite probable that that person could sue the pants off of McDonald's because they were scalded.

Everyone is looking at this as me (and the subject in the article) attacking the poor honest defenseless computer programmers but it's not. I think that we've entered into such a new age that the old rules need to be redesigned. Creating standards like this for software would also protect the developers in the long run. If they're adhereing to the standards, they're protected. Some of you view this as the catalyst in dampening the computer programmers spirit which will result in less and less software development but why? Why would it do that? Why would it foster anything negative at all?

[Bryancd]

Off topic, but weren't all those scalding law suits dismissed?

[billybob476]

There are certain standards in existence, such as PCI for storage of credit card and other personal info. It is best practice to code for PCI compliance, but not a requirement.