Developers ‘should be liable’ for security holes - ZDNet UK News

Making developers liable for security exploits is a stupid idea. The first problem with it is, who do we blame? Most of the security bugs nowadays are not your typical buffer overflow kind, which could have been prevented with careful programming. Most of the security bugs today have to do with interactions between system components. Let me explain.

There are two kinds of bugs, security or otherwise. Bugs that reflect the programmers lack of knowledge of a well established coding practice or API usage, and bugs that unless you have actually written the same code before in the same circumstances, you could not have predicted would occur.

If a web programmer takes a string from a user in a web form, and then passes that string unquoted to a shell, that programmer shouldn’t be allowed within 15 feet of a web app. If a programmer writes a piece of code that interacts with other pieces of code, and the resulting interaction has a bug (which might be exploitable), we have an interaction bug. It’s one of those “How could I have known?” moments we’ve all had. And if you sit and think about all the possible interactions before writing any code, you never get anything done.

What about liability? Assuming you have a sensible version control system in place, you can ask the question “Who wrote this pice of crap?” and get an answer. But who do you blame when the security bug is a result of a combination of changing APIs, implementing new features, fixing old bugs, etc. The answer to “Who wrote this piece of crap?” is “a group of programmers working at different times”. For the web app example, some of the code might have been written when it wasn’t a web app at all. There is human history in the code. It was written by humans.

And humans make mistakes. There is no way to avoid that. We just screw up every once in a while. Depending on how much you have to pay for your mistakes, you might be afraid of doing anything daring again. For instance, if I write a little application (single author, so all the bugs are mine), and get sued because it has a security bug, guess how many more applications I’ll be writing. None. The cost of making a mistake is too expensive.

If companies are liable, you’re just moving the problem to management. Companies get sued, so they are hesitant to put new applications out there. Applications that are not being used are not being debugged, and are thus less secure.

Markus Ranum wrote a great piece about this subject called Inviting Cockroaches to the Feast. It’s a very good read.