Should Developers be Accountable For Flaws?

Howard Schmidt, former White House cybersecurity advisor is quoted in a ZDNet article suggesting just this. Like many politicians his comprehension of the real issues borders on ignorance.

I am not advocating that software with security flaws is a good thing. In fact I would be the first to agree that developers need to do a better job (especially some developers). But asking developers to be accountable for the flaws is like asking the individual carpenters to be responsible for flaws in a house. It is the contractor's problem if something is wrong with the job. In the same way it is the software vendor's problem when something is flawed with a software product. Of course I could digress at this point into a big rant about software licensing and what does it mean to "own" software. I could also mention that in the open source model there is no vendor per se. But for the purposes of this particular blog entry let me just say that I disagree with Schmidt's premise.

However what is really needed is a good understanding of what security is when it relates to software and the internet. Just as you could not hold a contractor responsible if your house was robbed and you had left the doors open, there is a circumstance at which the accountability changes from the vendor to the owner or even to the criminal or hacker. After all, the party that is really to blame when a house is robbed is the thief.

So rather than assign blame for security flaws, I believe the best answers lie in better methods of finding the culprits and bringing them to justice.

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
  • Only images hosted on this site may be used in <img> tags.
  • You can align images (data-align="center"), but also videos, blockquotes, and so on.
  • You can caption images (data-caption="Text"), but also videos, blockquotes, and so on.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.