Monday, August 6, 2012

Software coders and security responsibilities

    Recently, I was involved in a twitter "debate" in which the original poster (@Wh1teRabbit) posed a question about holding software developers responsible for their security flaws in code. As stated previously, I hate social media as a platform for any type of debate. It is simply too limiting and comments are often taken out of context.
     The point I was trying to get across is that I believe, just like on most other industries, software developers should be held liable for egregious errors resulting in security flaws. As a Libertarian, this hurts me to say because I think the market will regulate itself. If you do something stupid, and the public cares about it, you will suffer. What many people seemed to take from my posts was that I support regulating an industry and my regulation would stifle creativity. Others questioned me on how we could possibly hold software companies liable just because they suck at security. My inadequate response was that companies should subscribe to and enforce some type of SDLC program. Most responses seemed to be "experts" crying foul about how I could possibly hold them accountable.
     Fast forward one week. I read the following article about the Mars rover and something hit a nerve. ( The article was about latency problems but I focused on the beginning. The rover had to reach the planet without hitting anything in space, decelerate from 5900 meters per second to zero (gracefully), plummet through 120km of hostile Martian atmosphere, and land in a 20km zone. If we can expect this from government employees and lowest bid contractors, why do we not expect the same level of outcome from coders and software "professionals?"
    I am NOT saying that NASA is the best or always gets it right, but I am saying that sticking our heads in the sand or holding our breath and closing our eyes is not the right thing to do. NASA has had some MAJOR issues with success lately. What many people don't realize is that every failure they had was a result of not abiding by their own policies and procedures.
    Have a system and work it. To not have a system is, in my opinion, willful neglect.

Bring it on! Lets "discuss" this. I will say that if you act unprofessionally, I will remove your post. Or worse, I will rewrite your post using ... and [sic] randomly so that you look dumb.

No comments:

Post a Comment