

SANS: Make software development organizations "legally liable" for errors - ilamont
http://www.csoonline.com/article/544163/Security_Experts_Developers_Responsible_for_Programming_Problems

======
volomike
Am I alone here in thinking how troubling this is? Many products are started
for a few hundred dollars by people just getting started in programming.
Financially punishing them does not solve this problem because they just fold
up and shut down, leaving only the more wealthier organizations, which, of
course, kills innovation. The other day, FEMA (a US Gov agency, for your
foreign to that term) put out a contract where they want to hire an
organization to help it with social media distribution of news, and one of
those networks was Twitter. Think of that -- a massive government institution
receiving millions every year, depending on code that is relatively simple in
concept. Twitter was started on a prayer and a song. The idea of Twitter is
one I cannot say a behemoth like Microsoft, Novell, Oracle, Cisco, etc. would
have created out of the blue. They don't think in these terms unfortunately,
but boy don't they run to these companies to use them or to buy them up when
they have a major "we should have built that" moment, don't they? If
SANS/Mitre reviewed Twitter in its infancy and filed a lawsuit against it for
security flaws, or if we web developers have to fear a class action suit every
time we code something, then things like Twitter would never happen.

Instead, organizations like this would better spend their dollars working on
education of the developer community on building secure, bug-free apps, where
support is possible. This is one of the reasons why the GPL is fantastic. You
can still make a profit from your software, yet the code is freely visible,
can be changed and upgraded, and most often is community-supported and
outstanding. When more developers can see the code, all bugs are shallow.
Although this is changing in the past 6 years with companies like IBM and
Novell taking the lead, the GPL is something that usually most behemoth
software companies do not want for their code. So think of that, if lawsuits
stifle innovation such that only the big behemoth companies are who we turn
to, then this most often means proprietary code you cannot see, cannot fork,
and cannot have widespread community-support for where code can be altered or
improved. And that makes the problem worse.

~~~
va_coder
An analogy could be made to selling a house: What if we made home sellers
liable for selling a house that didn't have "sufficient" security. What if a
rapist breaks into a house that didn't have bars on the windows? Should we
make the home seller liable for not putting bars on the window?

~~~
flogic
However we also have home inspectors.

------
kijuhygfh
Welcome to the $20,000 copy of windows.

Do you know how much an FAA certified GPS costs compared to the identical one
in your cellphone - the extra margin is just the insurance against getting
sued.

Would the users be required that the software was isntalled and by an engineer
certified by the maker? Would you like to prove that you had used it in
accordance with the instructions?

~~~
makmanalp
The opposing argument is: "If a company making a toaster can get sued for not
putting in adequate security measures (such as a fuse) and hurting someone,
what makes software so special that it is exempt of such responsibility?"

On one hand I like the fact that it's so easy to create software without
having to deal with any bureaucracy other than itself (and I agree that a lot
of security problems are very subtle and easy to miss) but on the other hand I
see the mistakes some companies make that end up in, for example, the
exposition of private information for some 50000 customers.

~~~
Flemlord
If only software bugs could be isolated down to something simple like "don't
forget to include a fuse".

------
ericd
So... they're trying to legislate a big boost to the security industry? Who's
heading this up? From SANS' website: "SANS is the best and most trusted source
for computer security training." Ah, now it makes sense.

Seriously, though, this would be massive overkill. It should be regulated in
life-threatening or economy-threatening industries (and I believe it is), but
if applied to everything, this would kill a lot of innovation in the cradle.

------
synnik
There is a huge distinction between being "responsible" for errors and
"legally liable".

Responsibility is just good practice - own the problems and provide
resolutions. But legally liable? No way.

Even the most mature products still have flaws. I cannot imagine trying to do
a startup if "legally liable." -- "Release Early, release often, but carry a
huge insurance premium." No. No, I don't think so.

------
nradov
Caveat emptor. If the customer wants the vendor to be legally liable for
defects then the customer should insist that be included in the contract. No
one is stopping them from doing this right now. It doesn't require changing
any laws or regulations.

------
Groxx
There's so much wrong with this idea. Certainly, offer a certification that
lets you opt-in; as nradov pointed out, there's nothing to stop this from
existing.

Why should software be treated differently? Easy: Software lets you go from
zero to over-9000 in precisely no time flat.

In effectively _every_ other business, you need to produce before you can
sell, which gives you a buffer time to see errors and fix them before they
bankrupt you, or even to jump ship before the storm hits by never making
enough. Plus, with software, can you _really_ prove they bought what you sold,
and didn't pirate it?

If someone crashes a cheap-duplicate car, you can tell, and you're not liable.
If someone crashes an application, the only chance to identify it is to check
their account. And even then, they could've modified your application, and
deleted the modified version, so checksumming the app after the fact isn't
proof.

------
epochwolf
The top 25 errors from last year: <http://www.sans.org/top25-programming-
errors/>

Detailed list: <http://cwe.mitre.org/top25/>

~~~
Zak
Of note: the only language mentioned by name is PHP.

------
bwh2
What happened to personal responsibility? If you don't like my software, don't
buy it, don't agree to the terms, and don't use it.

~~~
irons
Minimum standards of personal responsibility don't protect you from your
customers, they protect your customers from you. Customers are not in a good
position (to say the least) to evaluate whether a software shop is competent.

------
bradgessler
I would argue that this problem has already been solved with contracts between
companies. If you wanted Microsoft to be liable for bugs in their software,
you'd probably gobs more money on their applications, which Microsoft would
turn around and pay to insurance companies to limit their liability.

