Security threats Toolkit
Story: Developers 'should be accountable' for security holes
Posted by: Bruce Allen (Wednesday 12 October 2005, 4:39 PM)
Howard Schmidt sounds like yet another egghead who hasn't wrote any software. There is not a "theory of security" that can prove mathmatically a software let-a-lone a system of hardware, firmware and software is secure. MD5 is being successfully attacked today by a group in China. Should the author of MD5 be stretched on the rack?
Insecurity is the outcome of not treating hardware, firmware and software as a system in need of optimization. What current functions that have been happily executing in each of these three boxes since the 1950s need to be moved, spit or enhanced? The "no execute" bit was recently rediscovered by Intel and AMD but Alpha had it on day one. VMS uses descriptors to define strings while the insecure operating systems of the world don't. Back in the 1970s the idea of opcode encryption was used to prevent theft of software while later research has shown the idea prevents virus injection. The political aspects are important in this discussion as well.
The bottom line Howard's proposal would lead to malpractice insurance for programmers and possibly eight years of school and two years of residency before they could start writing software. We all know what this has done for America in terms of doctors. This would drive development overseas. Keep in mind, American sofware is an important asset that must be maintained by loyal Americans and not by foreign nationals here on H1B visas like so many Congressmen want so they can stroke their rich company friends. H1B visa holders will eventually (hopefully) go home possibly leaving eastereggs in the software they wrote here. What would happen if stock market, hospital, banking or power plant software went offline due to attack? Can you trust foreign nationals?Threatening programmers with personal liability is not the answer. Exporting programming jobs is senseless and makes security impossible just like importing foreign nationals here to do the work.
Howard, the sign on the wall says Good, Quick and Cheap. You get to pick two of the three.
Full Talkback thread
Story: Developers 'should be accountable' for security holes
-
If you are writing programs for a specific OS then... oldator -
Howard Schmidt sounds like yet another egghea... Bruce Allen -
Schmidt seems to be suggesting that the... jim bob -
Some of you guys are amazing.
It's... Big Al
-
Hmmm.. certainly got everyone... Stevie
-
BUNK! Absolute bunk! Unless Schmidt acknowledges... Floyd May
-
Brilliant...This is the fastest way I can thi... Stan Fisher
-
This is nonsense. The company should be liable for... Anonymous
-
Is an auto designer personnally liable for a... Glenn Branch
-
Dammit!
I'm so fscking SICK of these people who tr... Anonymous
-
agree with software application security - th... Bill Dobson
-
Bill - Let me guess... the additional pr... Coleman
-
You can hold developers responsible... Rob Fielding
-
Customers want developers to write software that d... Anonymous
-
In most cases, the developer does not own the... Anonymous
-
Developers don't make the decisions as to what is... Anonymous
-
As a software developer my manager gives me a... Tom Jones
-
I am sure he writes code every day!! Here is anoth... Anonymous
-
This won't work for several reasons:
** Since most... Anonymous
-
Software is extremely complex and will always be c... Jose Sandoval
-
Consumers should be (and ultimately are, through l... Nathan Tenney
-
If we take this to its logical conclusion we have... Anonymous
-
Well this will certainly have the effect of gettin... Lawrence Foard
-
CMM doesn't represent how good your developers are... Anonymous
-
WHAT CONSTITUTES A SECURITY HOLE? WHAT ABOUT MISU... Dave Monk
-
I'd love the time to make all my code completely s... Anonymous
-
There are huge problems with this idea:
a) develop... Ian Woollard
-
Training is just one of the variables in this equa... Anonymous
-
This is a clearly a bureaucrat tooting his own hor... Coleman
-
Kiss my donkey Mr. Schmidt!! I wouldn't accept suc... Anonymous
-
Not to speak lowly of a mans education, but Mr. Sc... Anonymous
-
Has this person ever worked in a 'real world' prog... Anonymous
-
Mr. Schmidt is gone senile
Software products will... aspen
-
Should a developer be held accountable for a secur... Anonymous
-
Here's why Schmidt is an idiot.
Individual develop... John Boe
-
This is pure insanity and a perfect example of a p... Anonymous
-
Mr. Howard Schmidt has no clue about software deve... Anonymous
-
Let me guess... BUSH White House advisor.
The arti... John Boe
-
another idiot suit who got his job through cr... Anonymous
-
Sounds like a great idea to me... What about other... Anonymous
-
Bad idea. Here's why:
1) Developers generally tak... Joe Cochran
-
If this guys is an "expert" I'm a pink flying elep... Brendan
-
Mr Espiner,
Thank you for publishing this article... Anonymous
-
I love this idea!
You see, I own and manage a soft... Anonymous
-
just as soon as ass-hat politicians and televangel... who cares
-
If Developers should be liable for security holes... Anonymous
-
It's freaking' time... the difference between free... T2k
-
I love the idea. But if I wonder if any employer... Twan
-
If the developer is legally liable for his own cod... Bill Hauck
-
This is a standard business tatic...the compa... Charles H Martin, PhD
-
Poor Howard embarasses himself with this one. Anonymous
-
CEO's should be liable for company failures. The... Bernard Deuce
-
Howard Schmidt obviously has no understanding of h... Anonymous
-
Step up to plate Developers - don't just hide... Ben Williams
-
Great idea if ....
- You want to ensure that all s... Anonymous
-
Schmidt almost certainly doesn't know what he's ta... Rex Page
-
So going by Mr. Schmidt's logic, if tomorrow there... Rajesh Sharma
-
Seeing that lawyers have squeezed every drop of li... Anonymous
-
Ex-White House huh? Let me guess -- Bush crony?... Anonymous
-
Anyone who works in software security (and has a c... Anonymous
-
As a professional software engineer, I strongly di... Andrew Rondeau
-
He is a cowboy.
Security is moving target dumber.... Anonymous
-
Mr. Schmidt is obviously a fool. But if he is will... Sam
-
There is a total disconnect with reality!
Quality... Franz
-
Howard Schmidt is so naive about the subject of so... Rob C
-
Somebody has to stand up and say these things... Rob Lewis
-
I agree that software companies should try to make... Anonymous
-
How about to include any type of bug into company'... marius herghelegiu
-
The problem is that customers and employers don't... Anonymous
-
Mr. Schmidth seems to have found a way to quickly... Arthur B.
-
So, according to his theory, if someone hot-wires... Anonymous
-
Schmidt is unskiled and unaware of it. His inflate... Kathleen Fasanella
-
So, I assume he also wants to hold assembly line w... Anonymous
-
Another management guy pushing responsibility down... Anonymous
-
Does he believe that developers have the ultimate... Anonymous
-
As much as I'd like to be accountable, the level o... Anonymous
-
[rant type="trolling back at the article's antagon... Anonymous
Back to: Developers 'should be accountable' for security holes
