By Tom Espiner, 13 October 2005 08:35
NEWS Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, a former White House cyber security adviser.
Speaking on Tuesday at the SecureLondon 2005 conference, Schmidt, who is now CEO of R&H Security Consulting, also called for better training for software developers. He said he believes that many developers don't have the skills needed to write secure code.
He said: "In software development, we need to have personal quality assurances from developers that the code they write is secure."
He cited the example of some developers he recently met who had created a web application to talk to a back-end database using SSL: "They had strong authentication, strong passwords, an encrypted tunnel. The stored data was encrypted. But when that data was sent to the purchasing office, it was sent as a plain text file. This was not an end-to-end solution.
"We need individual accountability from developers for end-to-end solutions so we can go to them and say, 'Is this completely secure?'"
Schmidt also referred to a recent survey from Microsoft finding that 64 per cent of software developers were not confident they could write secure applications. For him, better training is the way forward.
"Most university courses traditionally focused on usability, scalability and manageability - not security," he said. "Now a lot of universities are focusing on information assurance and security but, traditionally, web application development has been measured in mouse clicks - how to make users click through."
Companies that develop software also have a role to play, said Schmidt, by checking that prospective employees have relevant security qualifications before hiring them.
The British Computer Society (BCS) agreed there should be accountability in software development but argued that companies should be held responsible for the security of the code written by their employees, rather than by the employees themselves.
A security representative for the BCS said in an interview: "Howard has gone to an extreme by saying software developers should be held personally responsible for the security of the code they write but we broadly agree with the direction he's taking.
"I know a lot of developers who would be very uncomfortable with that level of accountability, especially if that were legal accountability. It is a company's responsibility to make sure the security features of its software are tested with rigor."
The representative added: "There is also the point that code isn't static. Once purchased, it can be modified", pointing out that this would reduce individual accountability.
In addition, many security attacks succeed because people have not installed the latest patches or have installed a system incorrectly.
Businesses themselves should accept some responsibility for the security of the software they purchase, the representative said. "The software has to be shown to be fit for its purpose. This is essential for producing a trustworthy online environment."
Tom Espiner writes for ZDNet UK
Comments
There are 6 comments. Join the discussion
1. Parveen Kumar
Typical un-technical people commenting on Software Development. As it is Software Developers take the burden of meeting unrealistic deadlines which are set by Commision Hungry sales people, and Bonus Greedy CIOs. Organisations frequently dump the responsibility of "Business Decisions" on Developers just becoz they are too lazy or just plain ignorant of the business rules to put in place. How about turning the Salary structure upside down with Software Developers at the top and CIOs at the bottom.
2. anonymous
Brilliant idea! Forcing American programmers to hold personal legal liability for software security will singlehandedly kill what's left of this country's programming talent pool and drive it offshore to places like China or Romania, where you can argue your legal rights until you are blue in the face. What a moron!
3. Anonymous
Why not start with removing policy makers like Mr. Howard from the un-deserving post he currently holds. That will surely be a major step towards software security in terms of policy making.
4. Joe Whitehead
It has been proven that as software complexity increases, there will always be an increase in bugs including security bugs. The fact is that developeres are ALREADY trying to avoid adding bugs by designing the software's layout long before a single line of code is written. Anyone who's taken a computer science course will know exactly how much effort goes into making programs easier to debug=less bugs in the first place.
Legal liability and regulations are Big Software Houses' way to drive out independants just like how any regulations tend to protect monopolies.
5. Tim Cummins
As Executive Director of IACCM (a non-profit association), I represent contract professsionals and negotiators from many of the world's leading corporations. Our members would be at the forefront in battles over such onerous contract terms. We do not view such confrontation as desirable, or a good use of time. Representing as we do both buy-side and sell-side, on a global basis, we were recently asked by the US Government to join a workshop in DC to discuss this topic and assist in finding a solution.
We are in a unique position to bridge this issue and assemble realistic guidance. Therefore, we have assembled a cross-industry team of senior managers, lawyers and contracts professionals. Initial goals include:
Development of a risk matrix to assist in determining relative priority for secure software
Contribution to a revised 'body of knowledge' for acquisition professionals
Identification of likely consequences of increased security (eg on delivery, price and maintenance / support)
6. Andre Maisonneuve
Mr. Howard Schmidt suggests that “better training is the way forward”.
While this suggestion is very valuable and indeed security should be inserted in to “most university courses”, it remains a long term solution to a very immediate problem.
In the meantime, developers can use development tools that allow them to insert complete security in the exchange of data among and between applications, without having to go through a long learning process in security and communications.
Validian ASI is such a product. For any enterprise, providing Validian ASI to their developers should demonstrate that they employed the “best of breed” environment and acted as responsibly as possible.
Validian ASI™ is a low-overhead, integrated development tool and deployment environment that enables data-exchange security to be integrated into applications rapidly and easily, delivering uniform application-layer security.
Validian ASI externalizes the security and communication functions, protects exchanges against all types of attacks, providing data integrity and confidentiality during transit and ensuring data never travels in the clear.