Discussion on:

Should developers be sued for security holes?

Who would want to be a software developer with such a huge elephant hovering above your head?!

here's some text.

would be on the top of my list. Their immunity comes from their hefty insurance.

Guy fresh out of School who is starting out and has decided to Specialize in Nero Surgery.

They get Bugger All in wages and have no real incentive to even start in that field. Sure they may end up with a 6+ Figure Income but it's just as likely that they will not. No one can tell what they will end up earning from their work till after they are earning it.

Col

test subjects didn't survive, you'd be looking for a new line of work, but out here, in this corner of the world, I don't think pay is an issue:

healthcareersdotaboutdotcom/od/compensationinformation/f/How-Much-Money-Does-A-Neurosurgeon-Earndothtm

Median of 670k, with the top 10% averaging a cool mil? I could live with that

Supervised Surgery at virtually No Pay did they have to do to get that income?

The other question to ask is How many Started in this field and how many ended up with the Big Bucks?

The numbers are radically different.

Col

Most passionate developers do not start making any sort of recognizable money on their hobby. But even after they do ascend the ranks in their new found profession, how many of them could ever dream of even matching up to the $670k+ income level? I'd argue very few (top 1-2%?)

But I'm not saying a developer should be put in the same league as the critical position of a neurosurgeon (unless they are developing software that is critical for survival).

software engineers / developers have NOT been held to the same level of accountability and it's now suggested they should be. If a developer works for a company, then it's the company that's responsible for the quality. The entity shipping the product is the one responsible, not their employees.

am not defending poor QA, just want to bring your point into perspective

sue the pants off him. If the building used shoddy materials when the plans called for quality, sure sue the pants off him.

Can you come up with a reason why software engineers should NOT be held responsible for shoddy work or including known vulnerabilities instead of doing the design right?

Can you explain why so many who work on mainframe code, Apple code, Unix code, Linux code can write software without known flaws or vulnerabilities but people who write code for Windows can't?

Mate, don't think code on mainframes, apples, unix, or linux can't be broken. They can all be broken, it is just due to the market penetration Windows is a much larger and softer target.

in it they just patch over instead of fixing the code. Over the years there are many security flaws found that could affect any operating system, such as buffer overflows, while the Unix and Linux community got busy and fixed the base code so those vulnerabilities were closed out the people at Microsoft simply patched over and hid the way to get at them, so they kept coming up again and again as new ways to cause them were found that would work with Windows but not Unix or Linux - the same has happened with many other vulnerabilities.

However, that's getting away from the fact that once a flaw or vulnerability is known the people who developed the software should fix the base code to close it off, failure to do so in a timely manner (which is another issue) should make them liable for the costs involved. They should have their arses sued off them if they put out new software with a known vulnerability in it.

But you seem to think it's OK to produce code with known faults. If that's OK, then it's also OK to produce code with a known Trojan or a known virus in it.

Magical developers know their flaws before they hit the production lines. Silly developers think they can get away with their evil scheming >:) It's known faults, because they know them for sure. All 500 million exploits are ingrained in their brain at the time of inception. Evil bastards.

Anyone who doesn't memorize them should bow out. A world without programmers. Wow. It'd be cool to revisit the early 1900s.

But are also required, so who gets sued?

mind you, the idiot who puts a standard housing spec door down for a high security building will get crucified, as will the fool who installs a hollow core interior door for the front door of a house. But the builder who leaves the front doorway with no door at all is likely to get sued, especially if he builds it so you can't fit a door to it.

Easiest way to break in is a chainsaw
You'd be surprised at how few people respond to the sound of a chainsaw cutting through a wall. not that I have experience with this

most walls without much in the way of sound, just bring a BIG battery or generator.

Also, your likely to set the place on fire.

Why just last week, I forgot my keys in the house and the locksmith let me in. I sued the bajeezus out of the door manufacturer. Took his wife, his kids, and we ate the family canine together at the dinner table.

Kill the K9 Humanly or do I have to report you to the Animal Protection Agency in your area?

I also hope it was a young dog cus the old ones are way too tough.

You where however correct in suing the Door Maker because it should have been impossible to lock it without the Keys.

Of course I suppose the Excuse that the Door Maker used was that he only made the door not the lock and that he didn't supply doors with Locks or Hinges.

Personally I would have gone after the company who installed the door but then again if it was yourself that sort of makes things difficult doesn't it?

I can also recommend a Good place to sell his wife and Kids who are quite reasonable and not overly expensive but you have to be really careful not to get caught using them. Your Federal Authorities take a dim view of selling Citizens to the Middle East. The State on the other hand really doesn't care provided that you pay the proper Tax on the Sale.

Incidentally I personally would have gone after the company who made the door not the floor Pleb working for that company as they have next to nothing and no control over what they make, they are just told to do XYZ and do it, the Management of the company who made it are the ones at fault here.

Col

I didn't even think of that angle. Yes. I locked myself out by flipping the lock on the handle. I should have sued him as well for letting it lock without the keys. The fact that I ended up on the outside should be his fault.

Come to think of it, do you think I could sue 2 or 3 more times if I implement the laser cutter and the chainsaw method? Maybe we could get that lock engineer on death row!

And yeah, we allowed PETA by the house to show the dog pictures and hear their lectures. I think he died of exhaustion and PTSD. Their the experts on ethical treatment, so I figure it's all kosher

For example, if they only designed in a half-height door where a full-height door was required for security, then yes, sue the daylights out of them.

If an accident is found to be caused by a software bug then the developers ARE under the same accountability. The developer of the software for an engine management system can be sued as much as the manufacturer of the engine.

I can't find words to express just how bad of an idea it is.

if I could...

There are only two reasons I can think to be upset about this:
One legit one, the possibility of nuisance suites like those faced by doctors. This issue wasn't enough to eliminate the liability for malpractice suites.

The other one is the a developers inability to design efficient code. If you worked with for a company and designed and delivered code that not only did not do the job but wrecked the server, there is no question that you would be on your way out the door the next morning. Therefore if your poor work causes a consumer to lose his life's savings then I think you should be accountable for that. Obviously this will probably lead to malpractice insurance for developers with a skyrocketing price. But my answer for this is the same as for doctors. If you make sure you do good work and insist on verification of the work product of all your employees, and if you would police your company and your industry to ensure that incompetents aren't allowed to practice, then there would be a lot less likelihood of losses to consumers due to incompetence.

As the auditor of source code deliverables for our customer, I am appalled at the lack of skill and intellect being exhibited by supposedly qualified developers. At this point in time the customer has had no recourse but to require the contractor's developers to redo it (which they are still getting paid to do).

People should be held accountable for poor work. If you do an incompetent job then YOU need to pay the price.

Thankfully there was backups lol.

is that the everyday person who would normally be used on a jury would lack the technical expertise to determine the difference between shoddy code and an honest 'we missed it' mistake. Add to that the drive for lawyers to sue for millions and billions, and you create an extremely hostile environment for developers who already work lots of hours and face burnout. I love being a software developer, but I shudder to think if the developer starts being treated like a doctor. If so, I should be getting a whole lot more money for my work.

at present you have to go with all sorts of 'specialist' arguments as to what is and isn't, while a law with a clear set of criteria makes most of the situation cut and dried - much like a criminal case.

Like Doctors, Lawyers or any other Professional who is Responsible for their Actions?

Just how many Doctors would you go to for Professional Advice if they where Exempt from any form of Litergation over their work?

You can take that to any other Profession which is held accountable for what they do and do not do so they behave professionally and do as they say they will instead of doing as they feel like on the day.

The reality however is out of every consultation Doctors actually do be that seeing a patient or operating on that Patient in some form or other there are very few Legal Cases brought against them for Malpractice.

When you consider the Number of Meetings in one form or another any Doctor has with Patients these result in very few Claims, even then depending on where you see that Doctor you may not even have a claim against them personally.

If you see them in a Public Hospital you can not sue that Doctor you have to sue the Hospital when you feel that substandard work has been done. Remember Adverse medical Outcomes resulting from surgery are not in themselves grounds to sue they are a possibility of any Operation which is out of the control of both the Hospital, the Theater Staff and the Surgeon and can be the result of the patients DNA itself to other things out of the control of the Doctors.

What Legal Rules like this would achieve with Software Development is the doing away with Vague Requests for software which changes during the project. The basis of all Projects would be much better thought out and documented long before they involve any Developer writing a single charter of code.

I personally do not see that as such a bad thing myself.

Col

nt

Because if I can get their salary due to the liability factor, and carry their insurance, I'll be set for life

Are criminals going to start suing homeowners for using locks that are easily broken?

If the software is being sold to enterprises, there is a little bit of an excuse. A lawsuit brought about because a developer fails to notify its customers of a security flaw is understandable.

The homeowner suing the lock company for making a lock with known security issues would be a better match. The whole lock "bumping" issue jumps to mind immediately.

Sadly, in our litigation-happy society this is almost inevitable. Besides, why should software developers enjoy protection that no one else does? While this seems like a bad idea from the viewpoint of many TR readers, from a legal point of view it seems pretty obvious. If you can sue Firestone for making a bad tire, why can't you sue MS for making a bad browser? It's another "wonderful" opportunity for some lawyers to get rich(er).

and get hurt, but still sue the company for NOT making it so they can't be a total idiot.

As the cliche goes, you can't fix stupid...but with a good lawyer you can make a few bucks from it.

And that's totally ok. We should totally sue anyone who has anything to do with anything that happens to my PC. Duh. Last week my power supply went out. Freak lightening storm, but I totally hit up parliament and the pentagon seeking restitution.

'avoidable' security flaws. If someone creates software that has an already well known security flaw in it, then I think they should be held accountable for not dealing with a known problem; but they should not be held accountable for a security flaw that only becomes known after the release unless they refuse or fail to take action to fix it.

An example would be the well known buffer overflow issues, there's no reason why any new software being released should be vulnerable to that issue since the problem and its resolution have been known for many years.

This would put the software companies on the same level with other manufacturers who can be taken to court for known safety and security issues with their manufactured products such as toasters, cars, televisions, etc.

There is, of course, a need to differentiate, to some extent, between software sold and software given away free. But in either case, the inclusion of any deliberate malicious code should be a criminal offence.

The reason software is so shoddy is that the creators know that they can't be sued.

If new laws were introduced (with the appropriate Amnesty clauses) software creators would stop pushing their latest money-making garbage onto the market and concentrate on fixing the software they've already released.

They might even learn how to properly code their new products (as a result).

Clarification:
When I said creators I meant the company, not the coder.
Also, companies shouldn't have to pay the fines, they should be paid by the BoD (the shareholders and workers shouldn't be penalised)

the concept with a provisions that it only applies to known flaws and holes.

Programmer to PM: There is a security hole in this code, can I fix it?
Pm To Programmer: No, we don't have enough time, just ship it anyways.

This has happened to me lots, just recently I had to send code that, if you clicked on a tab, the application crashed, it needed one line of code, just had to set an integer value properly, but no, I wasn't allowed to do it.

when that happened, in which case it makes the company the official developer of the program as they had the control over what you do. If you did this for yourself you would have just fixed it, but there are some out there who don't do that and they should be held responsible.

I was once in the situation where my boss gave me orders to do something I disagreed with, I refused to comply until AFTER he gave me the orders in writing. Once I had that i had little choice but to do what he wanted, and when the brown goo hit the rotating device that written order made it clear he was responsible for the mess. This is the only way to handle such things.

no text

Get it in writing... I'd give you five thousand votes up for that one!

I worked as the SQA Engineer. If the company wanted to ship with unfinished code there was little I could do. I documented some of the root causes as management pushing it through. They had to sign that. Later, they laid off the SQA department.