Security Expert can't have ever coded

So, according to ZDNet, Security expert Howard Schmidt wants coders to be held responsible for vulnerabilities in their code. This is REALLY dumb.

He gets one thing right – I’ll give him that. Most developers don’t have an adequate idea of what security entails, and training in this is, at best, extremely rare. There should be more of that, both at university and in the job – attacks evolve, after all.

But making developers responsible? When they don’t have the authority to control the product? Management choose what features are ‘in’ or ‘out’, project times scales, budget, etc.. I’d love to produce better code, but my boss will reject my ‘It’ll take twice as long and be 3 times as expensive’ – and rightly so.

Why rightly? ‘Cos it wouldn’t sell. Many customers want a lot for very little money, and there is not such thing as a free lunch. If you buy a Ford Fiesta, you get a Ford Fiesta, not a Ferrari. We could write more secure products, but they wouldn’t sell. Customers almost invariably go for the cheapest option.

I like the comparison between software and the aerospace industry. Computers crash – we wish they didn’t by they do. Airplanes don’t (well, not often, statistically speaking. I mean, how many times has your PC crashed, and how many times have you been in a plane crash?) The difference is that designing, building and testing planes is a slow, detailed, heavily documented process that is, therefore, very expensive. People are willing to pay that as a plane that doesn’t work is, well, a bad thing. A visibly bad thing. Bad software isn’t usually such a bad thing, and it’s unlikely to be so visible.

Anyway, back to the point – I’m not the one who sets a ridiculous deadline in the first place. I’m not the one who reduces our budget. I’m not the one who decides to skip some testing to meet a deadline. I’m not the one who expects a developer to be able to design, implement and test a system, which really are 3 seperate roles (although where I work, at least we don’t test our own stuff). And if they are 3 roles, who’s fault is a security hole – the designer (who designed it in), the developer (who wrote it) or the tester (who didn’t find it in testing)? Or even the manager, who stuffed it all up with an infeasible deadline in the first place?

Finally, a developer can only have ownership of his part of a solution. You could have hundreds of coders working on a project, and those lines will become blurry. Perhaps the issue lies in how two bits of code work together – that in isolation they work fine, but when talking together their interface has been interpretted differently.

I’ll accept personal liability when I 1) have total control of the project and 2) earn 3 times what I get at the moment.

Anyway, I’m not going to get too worked up. It turns out “Mr. Schmidt holds a bachelor’s degree in business administration (BSBA) and a master’s degree in organizational management (MAOM) from the University of Phoenix. He also holds an Honorary Doctorate degree in Humane Letters.” ‘Nuff said

Security Expert can't have ever coded

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.