ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security threats Toolkit

Developers 'should be accountable' for security holes

Tom Espiner ZDNet.co.uk

Published: 12 Oct 2005 12:15 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, former White House cybersecurity advisor, on Tuesday.

Speaking at Secure London 2005, Schmidt, who is now the president and chief executive of R&H Security Consulting, also called for better training for software developers, many of who he believes don't have the skills needed to write secure code.

"In software development, we need to have personal quality assurances from developers that the code they write is secure," said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.

"They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But, when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution. We need individual accountability from developers for end-to-end solutions so we can go to them and say: 'Is this completely secure?'," Schmidt said.

Schmidt also referred to a recent survey from Microsoft which found that 64 percent of software developers were not confident they could write secure applications. For him, better training is the way forward.

"Most university courses traditionally focused on usability, scalability, and manageability, not security. Now a lot of universities are focusing on information assurance and security, but traditionally Web application development has been measured in mouse clicks — how to make users click through," said Schmidt.

Companies that develop software also have a role to play, said Schmidt, by checking that prospective employees have relevant security qualifications before hiring them.

The British Computing Society (BCS) agreed that there should be accountability in software development, but argued that companies should be held responsible for the security of the code written by their employees, rather than the employees themselves.

"Howard has gone to an extreme by saying software developers should be held personally responsible for the security of the code they write, but we broadly agree with the direction he's taking. I know a lot of developers who would be very uncomfortable with that level of accountability, especially if that were legal accountability. It is a company's responsibility to make sure the security features of its software are tested with rigour," a security spokesperson for the BCS told ZDNet UK.

"There is also the point that code isn't static — once purchased it can be modified," the spokesperson added, pointing out this would reduce individual accountability.

In addition, many security attacks succeed because users have not installed the latest patches, or installed a system incorrectly.

Businesses themselves should accept some responsibility for the security of the software they purchase, according to the BCS.

"There is an element of 'caveat emptor' — buyer beware. Before buying any software an enterprise should check whether a vendor uses their own security software. They should also be accredited with a CMM [Capability Maturity Model] standard — it's like a kitemark. CMM level three, four or five is an indication the software has been developed by quality developers," the BCS spokesperson said.

"The software has to be shown to be fit for purpose. This is essential for producing a trustworthy online environment."Do you agree with Schmidt's views? You can have your say by voting in this poll.

 

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
58 out of 122 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

77 comments

  1. If you are writing programs for a specific OS then... oldator
  2. Howard Schmidt sounds like yet another egghea... Bruce Allen
  3. Schmidt seems to be suggesting that the... jim bob
  4. Some of you guys are amazing. It's... Big Al
  5. Hmmm.. certainly got everyone... Stevie
  6. BUNK! Absolute bunk! Unless Schmidt acknowledges... Floyd May
  7. Brilliant...This is the fastest way I can thi... Stan Fisher
  8. This is nonsense. The company should be liable for... Anonymous
  9. Is an auto designer personnally liable for a... Glenn Branch
  10. Dammit! I'm so fscking SICK of these people who tr... Anonymous
  11. agree with software application security - th... Bill Dobson
  12. Bill - Let me guess... the additional pr... Coleman
  13. You can hold developers responsible... Rob Fielding
  14. Customers want developers to write software that d... Anonymous
  15. In most cases, the developer does not own the... Anonymous
  16. Developers don't make the decisions as to what is... Anonymous
  17. As a software developer my manager gives me a... Tom Jones
  18. I am sure he writes code every day!! Here is anoth... Anonymous
  19. This won't work for several reasons: ** Since most... Anonymous
  20. Software is extremely complex and will always be c... Jose Sandoval
  21. Consumers should be (and ultimately are, through l... Nathan Tenney
  22. If we take this to its logical conclusion we have... Anonymous
  23. Well this will certainly have the effect of gettin... Lawrence Foard
  24. CMM doesn't represent how good your developers are... Anonymous
  25. WHAT CONSTITUTES A SECURITY HOLE? WHAT ABOUT MISU... Dave Monk
  26. I'd love the time to make all my code completely s... Anonymous
  27. There are huge problems with this idea: a) develop... Ian Woollard
  28. Training is just one of the variables in this equa... Anonymous
  29. This is a clearly a bureaucrat tooting his own hor... Coleman
  30. Kiss my donkey Mr. Schmidt!! I wouldn't accept suc... Anonymous
  31. Not to speak lowly of a mans education, but Mr. Sc... Anonymous
  32. Has this person ever worked in a 'real world' prog... Anonymous
  33. Mr. Schmidt is gone senile Software products will... aspen
  34. Should a developer be held accountable for a secur... Anonymous
  35. Here's why Schmidt is an idiot. Individual develop... John Boe
  36. This is pure insanity and a perfect example of a p... Anonymous
  37. Mr. Howard Schmidt has no clue about software deve... Anonymous
  38. Let me guess... BUSH White House advisor. The arti... John Boe
  39. another idiot suit who got his job through cr... Anonymous
  40. Sounds like a great idea to me... What about other... Anonymous
  41. Bad idea. Here's why: 1) Developers generally tak... Joe Cochran
  42. If this guys is an "expert" I'm a pink flying elep... Brendan
  43. Mr Espiner, Thank you for publishing this article... Anonymous
  44. I love this idea! You see, I own and manage a soft... Anonymous
  45. just as soon as ass-hat politicians and televangel... who cares
  46. If Developers should be liable for security holes... Anonymous
  47. It's freaking' time... the difference between free... T2k
  48. I love the idea. But if I wonder if any employer... Twan
  49. If the developer is legally liable for his own cod... Bill Hauck
  50. This is a standard business tatic...the compa... Charles H Martin, PhD
  51. Poor Howard embarasses himself with this one. Anonymous
  52. CEO's should be liable for company failures. The... Bernard Deuce
  53. Howard Schmidt obviously has no understanding of h... Anonymous
  54. Step up to plate Developers - don't just hide... Ben Williams
  55. Great idea if .... - You want to ensure that all s... Anonymous
  56. Schmidt almost certainly doesn't know what he's ta... Rex Page
  57. So going by Mr. Schmidt's logic, if tomorrow there... Rajesh Sharma
  58. Seeing that lawyers have squeezed every drop of li... Anonymous
  59. Ex-White House huh? Let me guess -- Bush crony?... Anonymous
  60. Anyone who works in software security (and has a c... Anonymous
  61. As a professional software engineer, I strongly di... Andrew Rondeau
  62. He is a cowboy. Security is moving target dumber.... Anonymous
  63. Mr. Schmidt is obviously a fool. But if he is will... Sam
  64. There is a total disconnect with reality! Quality... Franz
  65. Howard Schmidt is so naive about the subject of so... Rob C
  66. Somebody has to stand up and say these things... Rob Lewis
  67. I agree that software companies should try to make... Anonymous
  68. How about to include any type of bug into company'... marius herghelegiu
  69. The problem is that customers and employers don't... Anonymous
  70. Mr. Schmidth seems to have found a way to quickly... Arthur B.
  71. So, according to his theory, if someone hot-wires... Anonymous
  72. Schmidt is unskiled and unaware of it. His inflate... Kathleen Fasanella
  73. So, I assume he also wants to hold assembly line w... Anonymous
  74. Another management guy pushing responsibility down... Anonymous
  75. Does he believe that developers have the ultimate... Anonymous
  76. As much as I'd like to be accountable, the level o... Anonymous
  77. [rant type="trolling back at the article's antagon... Anonymous

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:




Related Jobs

Senior SAS/ SPSS Marketing Consultant 45k Immediately required!!!

Server/Network Specialist - London- AD-Exchange-Server2003-LAN-WAN

URGENT Requirement for PM with DWH/BI Knowledge

Sentry Posts Blog

Virtual Teams: Small Business Innovati...

Virtual Teams: Small Business Innovation Author: Eric Everson, Founder – MyMobiSafe.com As the founder of MyMobiSafe.com, I’ve found that because of our presence in the industry... More

Post a comment

Mobile Security and Innovation: An Ope...

Mobile Security and Innovation: An Open Case Author: Eric Everson, Founder MyMobiSafe.com The times are changing in the mobile industry as “big wireless” in the US Markets are calling... More

Post a comment

Government launches new e-crime unit

Ok, so this is outside of my main area of focus of sustainable and green tech but I do track some security issues too. I was at a meeting last week with Microsoft's security advisor... More

Post a comment

Featured Oracle Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

See All White Papers