- Related Stories
-
Microsoft talks up Longhorn Server security
September 15, 2005 -
Microsoft's leaner approach to Vista security
August 29, 2005 -
Survey: Microsoft bears some blame for worms
August 18, 2005
Speaking Tuesday at the SecureLondon 2005 conference, Schmidt, who is now CEO of R&H Security Consulting, also called for better training for software developers. He said he believes that many developers don't have the skills needed to write secure code.
"In software development, we need to have personal quality assurances from developers that the code they write is secure," said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.
A legal fix for software flaws?
"They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution. We need individual accountability from developers for end-to-end solutions so we can go to them and say, 'Is this completely secure?'" Schmidt said.
Schmidt also referred to a recent survey from Microsoft finding that 64 percent of software developers were not confident that they could write secure applications. For him, better training is the way forward.
"Most university courses traditionally focused on usability, scalability and manageability--not security. Now a lot of universities are focusing on information assurance and security, but traditionally, Web application development has been measured in mouse clicks--how to make users click through," Schmidt said.
Companies that develop software also have a role to play, said Schmidt, by checking that prospective employees have relevant security qualifications before hiring them.
The British Computer Society agreed that there should be accountability in software development but argued that companies should be held responsible for the security of the code written by their employees, rather than by the employees themselves.
"Howard has gone to an extreme by saying software developers should be held personally responsible for the security of the code they write, but we broadly agree with the direction he's taking. I know a lot of developers who would be very uncomfortable with that level of accountability, especially if that were legal accountability. It is a company's responsibility to make sure the security features of its software are tested with rigor," a security representative for the BCS said in an interview.
"There is also the point that code isn't static. Once purchased, it can be modified," the representative added, pointing out that this would reduce individual accountability.
In addition, many security attacks succeed because people have not installed the latest patches or have installed a system incorrectly.
Businesses themselves should accept some responsibility for the security of the software they purchase, the BCS representative said. "The software has to be shown to be fit for its purpose. This is essential for producing a trustworthy online environment," the representative said.
Tom Espiner of ZDNet UK reported from London.
See more CNET content tagged:
Howard Schmidt, software developer, developer, representative, software development
1. The developers are often under pressure from upper
management to release in a specific time frame. These are
people that don't accept "we need to do it right" as a reason for
delays.
2. There are so many variations and interactions with other
software and hardware, that it is virtually impossible to test
every single case involved.
3. Code often passes through many developers hands. Who
would get the blame?
4 . Most people are not ready to pay for the kind of software
discussed here. Imagine your $99 piece of software costing
$5K-$10K, or your $299 Office package costing $20K.
There are a lot more flaws with this line of thinking, that's just
the beginning.
I do agree with the notion that we need to focus more on
security, but the arguments made here are simple minded and
short-sighted.
The argument was made elsewhere that it's the gun companies that get sued when one of their products is used for malicious purposes, not the people on the assembly line.
"1. The developers are often under pressure from upper management to release in a specific time frame. These are people that don't accept "we need to do it right" as a reason for delays."
Hold the companies liable and not developers.
"2. There are so many variations and interactions with other software and hardware, that it is virtually impossible to test every single case involved."
True, but in most cases it has to do with with shotty programming and has nothing to do with other software or hardware.
"3. Code often passes through many developers hands. Who would get the blame?"
Well if documented properly... the person who caused the problem. But, that would still be a management problem since it's the company that should be held liable not the developer.
"4 . Most people are not ready to pay for the kind of software discussed here. Imagine your $99 piece of software costing $5K-$10K, or your $299 Office package costing $20K."
If software developers were trained right the cost would be minimal. Most people wouldn't know the difference. Of course what about those programs that do cost several thousand dollars? Should we hold those people responsable?
"There are a lot more flaws with this line of thinking, that's just the beginning. I do agree with the notion that we need to focus more on security, but the arguments made here are simple minded and short-sighted."
True, there are a lot of unthought of things here, but most companies, schools, and developers aren't going to start thinking about it till somebody hold this responsible for it. Companies are too hard on employees, but consumers are being to lite on companies. Software companies need to be accountable for their work just like anybody else.
1. The developers are often under pressure from upper
management to release in a specific time frame. These are
people that don't accept "we need to do it right" as a reason for
delays.
2. There are so many variations and interactions with other
software and hardware, that it is virtually impossible to test
every single case involved.
3. Code often passes through many developers hands. Who
would get the blame?
4 . Most people are not ready to pay for the kind of software
discussed here. Imagine your $99 piece of software costing
$5K-$10K, or your $299 Office package costing $20K.
There are a lot more flaws with this line of thinking, that's just
the beginning.
I do agree with the notion that we need to focus more on
security, but the arguments made here are simple minded and
short-sighted.
The argument was made elsewhere that it's the gun companies that get sued when one of their products is used for malicious purposes, not the people on the assembly line.
"1. The developers are often under pressure from upper management to release in a specific time frame. These are people that don't accept "we need to do it right" as a reason for delays."
Hold the companies liable and not developers.
"2. There are so many variations and interactions with other software and hardware, that it is virtually impossible to test every single case involved."
True, but in most cases it has to do with with shotty programming and has nothing to do with other software or hardware.
"3. Code often passes through many developers hands. Who would get the blame?"
Well if documented properly... the person who caused the problem. But, that would still be a management problem since it's the company that should be held liable not the developer.
"4 . Most people are not ready to pay for the kind of software discussed here. Imagine your $99 piece of software costing $5K-$10K, or your $299 Office package costing $20K."
If software developers were trained right the cost would be minimal. Most people wouldn't know the difference. Of course what about those programs that do cost several thousand dollars? Should we hold those people responsable?
"There are a lot more flaws with this line of thinking, that's just the beginning. I do agree with the notion that we need to focus more on security, but the arguments made here are simple minded and short-sighted."
True, there are a lot of unthought of things here, but most companies, schools, and developers aren't going to start thinking about it till somebody hold this responsible for it. Companies are too hard on employees, but consumers are being to lite on companies. Software companies need to be accountable for their work just like anybody else.
In order for the software to sell, the software designers that work on the user interface and how your software interacts through automation within a platform (secured or vulnerable OS), would share the blame for the security lapses. For example, the moment you place macros and automation on Excel Files, Word, and running of active X scripts and other such facilities on any program, it will be full of security holes. If the email would have stuck to just displaying plain text file that would not trigger reinterpretation for rendering by the mail client, and only text file without any attached binaries, then we should have no problems with viruses spreading through email. It is the convenience of the use of cool-looking email format and the cool attachments that made it convenient to propagate viruses and malwares by email. It is the managers and marketing department who specified it so, not only developers. You can't have both convenience of use and secured software at the same time. There is no way a software developer can see all permutations or combinations of the usage of software beyond its specificied user interface usage, it will be too costly to think all the possible combinations. To start with, the various operating systems are full of security holes, and the standard protocols themselves are full of security holes. So let us not put the blame on the software developers alone. The entire industry needs a major revamp. From the chip manufacturers that have software drivers with lots of security holes, to the processors that have security holes, and to the OS that have security holes, and the standard protocols that can have security holes, and add to that the software designers, marketers, software developers. So everybody should be toasted, no exception, and it should not be the burden of software developers alone.
In order for the software to sell, the software designers that work on the user interface and how your software interacts through automation within a platform (secured or vulnerable OS), would share the blame for the security lapses. For example, the moment you place macros and automation on Excel Files, Word, and running of active X scripts and other such facilities on any program, it will be full of security holes. If the email would have stuck to just displaying plain text file that would not trigger reinterpretation for rendering by the mail client, and only text file without any attached binaries, then we should have no problems with viruses spreading through email. It is the convenience of the use of cool-looking email format and the cool attachments that made it convenient to propagate viruses and malwares by email. It is the managers and marketing department who specified it so, not only developers. You can't have both convenience of use and secured software at the same time. There is no way a software developer can see all permutations or combinations of the usage of software beyond its specificied user interface usage, it will be too costly to think all the possible combinations. To start with, the various operating systems are full of security holes, and the standard protocols themselves are full of security holes. So let us not put the blame on the software developers alone. The entire industry needs a major revamp. From the chip manufacturers that have software drivers with lots of security holes, to the processors that have security holes, and to the OS that have security holes, and the standard protocols that can have security holes, and add to that the software designers, marketers, software developers. So everybody should be toasted, no exception, and it should not be the burden of software developers alone.
But yet, apparently software engineers are different.
Do I get to sue all McDonalds employees if I get fat?
>company personally responsible and liable if
>someone is murded with their weapons
*and*
>Do I get to sue all McDonalds employees if I get
>fat?
Your analogies are off.
You would get to hold the gun company liable if the gun malfunctioned and blew up. You would be able to sue McDonalds if their food was tainted. So, according to the logic in the article, you should be able to hold a software company liable if their software has security holes and bugs, and does not work as advertised.
But yet, apparently software engineers are different.
Do I get to sue all McDonalds employees if I get fat?
>company personally responsible and liable if
>someone is murded with their weapons
*and*
>Do I get to sue all McDonalds employees if I get
>fat?
Your analogies are off.
You would get to hold the gun company liable if the gun malfunctioned and blew up. You would be able to sue McDonalds if their food was tainted. So, according to the logic in the article, you should be able to hold a software company liable if their software has security holes and bugs, and does not work as advertised.
products but nothing to protect against bad software. What about
the Y2K thing and all the money that Microsoft and the others
made by charging to fix your's, bussiness' and the governments
defective product.......that they new would possibly be defective
when they sold it. If you don't like a meal at a restraunt, find a bug
in it or even a hair you can send it back.
About the comparison with lemon laws and other products, your analogy doesn't hold. Most software is working on an unknown set of hardware with a combination of a myriad of unknown software. It is impossible to predict what can go wrong in such a setup.
If GM or Toyota lets you buy a car, change the engine, modify the body, change the battery and then still pays your for "warranty" then we are talking.
OR
If you agree to buying the exact spec of hardware and not installing any other software and strictly operating a piece of software per instructions, then we can think of such warranty/guarantees.
products but nothing to protect against bad software. What about
the Y2K thing and all the money that Microsoft and the others
made by charging to fix your's, bussiness' and the governments
defective product.......that they new would possibly be defective
when they sold it. If you don't like a meal at a restraunt, find a bug
in it or even a hair you can send it back.
About the comparison with lemon laws and other products, your analogy doesn't hold. Most software is working on an unknown set of hardware with a combination of a myriad of unknown software. It is impossible to predict what can go wrong in such a setup.
If GM or Toyota lets you buy a car, change the engine, modify the body, change the battery and then still pays your for "warranty" then we are talking.
OR
If you agree to buying the exact spec of hardware and not installing any other software and strictly operating a piece of software per instructions, then we can think of such warranty/guarantees.
You can't have the cake and eat it too. If you do, poop will get the better of you!!!
You can't have the cake and eat it too. If you do, poop will get the better of you!!!
What happens if the OS makes a change that now creates a security breach in the program. Who is to blame then? What's to stop people from saying it wasn't an issue when the software was created. Something ELSE changed to cause the security breach.
_______________________________________________
If they're going to do this, why stop here.
Let's go after the lawmakers who create badly written laws that allow someone to escape because of a loophole.
While I do agree that software security is needed, it's just not possible to test for EVERY possible situation that may cause a security issue.
What happens if someone hacks the software, does that now become the software makers problem because the person did something illegal?
Where does it end...
What happens if the OS makes a change that now creates a security breach in the program. Who is to blame then? What's to stop people from saying it wasn't an issue when the software was created. Something ELSE changed to cause the security breach.
_______________________________________________
If they're going to do this, why stop here.
Let's go after the lawmakers who create badly written laws that allow someone to escape because of a loophole.
While I do agree that software security is needed, it's just not possible to test for EVERY possible situation that may cause a security issue.
What happens if someone hacks the software, does that now become the software makers problem because the person did something illegal?
Where does it end...
Hold car manufacturers liable for car thefts.
Hold credit card companies liable stolen wallets.
Whatever...
Not if the theif smashes the windows and breaks the ignition and their is not devices to keep it from starting (an alarm). Yes if the door locks don't lock the door and the ignition works with or with out a key or the factory installed alarm doesn't work the way it should.
"Hold credit card companies liable stolen wallets."
Well, no. Credit card companies are liable if the data is stolen from one of their servers that has a security flaw.
"Hold electricians liable for home break-ins"
If their shotty work causes alarms or electric locks to not work then they should be held liable.
***
I don't see why software companies shouldn't be held liable for producing broken software. There will always be flaws in software and I don't think that was the point. I believe the point was that when a developer doesn't know how to or try to secure software then they should be held liable just like any other company. However, is it their fault if they produce a patch, but the end user doesn't install it? In my opinion... no. Should they be held liable if some other software or the OS itself causes a security problems? No. In those cases it's not necessarially there software that's at blame.
I figure software developers will act like this is the end of the world, but really it will seperate good developers from shade tree developers. I figure, at least in the beginning, it will drive up software cost, but after awhile they will go back down. I am for holding software companies liable for bad software. And I'm sure that if they day ever comes they will really need to set down and determine what make a software company liable.
Electricians (contracotrs) are liable if they screw up installing the alarm and your house gets broken in, and car manufacturers are held liable for numerous defects (even tire companies), and credit card companies do get the bill when your wallet is stolen and your cards get used.
Although I agree with the earlier sentiment that it is the person who writes the requirements and sets the dates that should be held responsible not the developer.
Hold car manufacturers liable for car thefts.
Hold credit card companies liable stolen wallets.
Whatever...
Not if the theif smashes the windows and breaks the ignition and their is not devices to keep it from starting (an alarm). Yes if the door locks don't lock the door and the ignition works with or with out a key or the factory installed alarm doesn't work the way it should.
"Hold credit card companies liable stolen wallets."
Well, no. Credit card companies are liable if the data is stolen from one of their servers that has a security flaw.
"Hold electricians liable for home break-ins"
If their shotty work causes alarms or electric locks to not work then they should be held liable.
***
I don't see why software companies shouldn't be held liable for producing broken software. There will always be flaws in software and I don't think that was the point. I believe the point was that when a developer doesn't know how to or try to secure software then they should be held liable just like any other company. However, is it their fault if they produce a patch, but the end user doesn't install it? In my opinion... no. Should they be held liable if some other software or the OS itself causes a security problems? No. In those cases it's not necessarially there software that's at blame.
I figure software developers will act like this is the end of the world, but really it will seperate good developers from shade tree developers. I figure, at least in the beginning, it will drive up software cost, but after awhile they will go back down. I am for holding software companies liable for bad software. And I'm sure that if they day ever comes they will really need to set down and determine what make a software company liable.
Electricians (contracotrs) are liable if they screw up installing the alarm and your house gets broken in, and car manufacturers are held liable for numerous defects (even tire companies), and credit card companies do get the bill when your wallet is stolen and your cards get used.
Although I agree with the earlier sentiment that it is the person who writes the requirements and sets the dates that should be held responsible not the developer.
2) How are damages done to a firm using the software calculated? How does one measure material financial damages, much less wasted end-user's time? Impossible
3) How is the firm developing the software expected to test the software's interaction with all flavors of hardware, software, and the combination of both? What's the OS in use, what's the version, is it patched, what's the client running, what other apps are installed, what Stupid User Tricks have been performed, etc.? Impossible to consider all possibilities and it only gets more complicated every day
4) Can we go after an individual or a company that wrote code 5 years ago that interacts poorly with code written 1 year ago? Not reasonably
5) How are penalties assessed? If the software costs the firm using it $1 million, what sense does it make to go after a kid making $30K? Go after the company then? Remember, there are a lot of small shops out there that don't have close to $1 million in assets that turn out apps used by multi-billion dollar firms, so in many cases it wouldn't make sense to go after them either
6) Show me a developer or company claiming they write bug-free code and I'll show you a liar
I think Mr. Schmidt should sit down and code an app for commercial use then revisit the topic. I daresay his tune would change...
Oracle but, it confirms the second half of your sentance.
2) How are damages done to a firm using the software calculated? How does one measure material financial damages, much less wasted end-user's time? Impossible
3) How is the firm developing the software expected to test the software's interaction with all flavors of hardware, software, and the combination of both? What's the OS in use, what's the version, is it patched, what's the client running, what other apps are installed, what Stupid User Tricks have been performed, etc.? Impossible to consider all possibilities and it only gets more complicated every day
4) Can we go after an individual or a company that wrote code 5 years ago that interacts poorly with code written 1 year ago? Not reasonably
5) How are penalties assessed? If the software costs the firm using it $1 million, what sense does it make to go after a kid making $30K? Go after the company then? Remember, there are a lot of small shops out there that don't have close to $1 million in assets that turn out apps used by multi-billion dollar firms, so in many cases it wouldn't make sense to go after them either
6) Show me a developer or company claiming they write bug-free code and I'll show you a liar
I think Mr. Schmidt should sit down and code an app for commercial use then revisit the topic. I daresay his tune would change...
Oracle but, it confirms the second half of your sentance.
- Could only run software on certified machines
- Could only run approved software on the machine
- Only certified users could run software
- Price!
- Less innovation
- 90% of it would still be crap, granted it would probably be secure crap.
- More open source?
One thing, I think the statement should apply to the source code owner instead of soley the developer.
- It would work, but who would want the consequences.
- by PcolaJamie October 12, 2005 12:15 PM PDT
- Consequences of this:
- Like this Reply to this comment
-
Showing 1 of 5 pages (180 Comments)- Could only run software on certified machines
- Could only run approved software on the machine
- Only certified users could run software
- Price!
- Less innovation
- 90% of it would still be crap, granted it would probably be secure crap.
- More open source?
One thing, I think the statement should apply to the source code owner instead of soley the developer.