|
Most of us do as told by their manager, and it's mostly the manager who decides what gets implemented and what not. Why the manager cuts the cost? Well, because the client awards the project to the cheapest, not the most secure.
They got what they paid for, and now they're whining
Sue the goddamn bank, they're the ones responsible. And no, you needn't be an academic to justify that or to line up some arguments.
Bastard Programmer from Hell
if you can't read my code, try converting it here[^]
|
|
|
|
|
Yep, I think that he means the companies, not the individuals making the code. And of course it's all about the contracts.
In my opinion, it's a good thing that there's a debate going on. I'm not saying whose fault it is that there are errors and problems. What I'm saying is that both the buyer and the supplier should have a mutual understanding what's going to be delivered.
How this is going to be achieved in the real world, well we'll see if it's even possible
|
|
|
|
|
Mika Wendelius wrote: Yep, I think that he means the companies
That does sound a whole lot more rational
|
|
|
|
|
"If you’re poisoned by a burger you can sue the restaurant that sold it ..." (not the cook that flipped it).
Negligence is negligence. If you're damaged by somebody else's negligence, you should be able to sue them according to the laws in your country. If my bank buys software without having someone test it , and my bank account gets cleaned, I'd like to be able to sue the bank. (The bank may want to sue the software shop.)
On the other hand, if my account gets cleaned, I won't be able to afford a decent lawyer, so suing may not be an option.
Pablo.
"Accident: An inevitable occurrence due to the action of immutable natural laws." (Ambrose Bierce, circa 1899).
|
|
|
|
|
Also the hydro company that providies the electricity used to perform the theft shouldn't get away so easily!
modified 20-Oct-19 21:02pm.
|
|
|
|
|
If the developer has to be held liable for security holes, it should be mentioned explicitly in the contract and he can let another company do a security audit that he in turn can be held liable if it fails to find a security hole, etc...
It's all possible, but it will cost a lot of money out of the customers pocket, otherwise it would never be commercially viable.
If should be default by law, small and medium businesses would have no chance of ever being able to afford online innovation and it would kill the industry.
So, no bad idea...
Giraffes are not real.
|
|
|
|
|
Ah, an academic spouting forth from a position of ignorance. My response is based on UK requirements - both because my company is based in the UK, and because he is as well. Here companies that provide know how or skills are required to have Professional Indemnity Insurance in place to cover them precisely for situations like this. In other words, companies already have this covered.
One other point - how is he planning on applying this to off shore work?
|
|
|
|
|
Pete O'Hanlon wrote: how is he planning on applying this to off shore work?
That's an excellent question! Laws and regulations etc. are globally alike, aren't they
|
|
|
|
|
Pete O'Hanlon wrote: an academic spouting forth from a position of ignorance
Cambridge for crying out loud too!
Granted most of my work these days are academic in the form of being an adjunct faculty member, I still do enough development work with the real world to be able to share the experiences with my students, and I hope they learn something from it so there can be plenty of good quality developers out there when they finish school.
"Any sort of work in VB6 is bound to provide several WTF moments." - Christian Graus
|
|
|
|
|
IMHO, ours is an industry that relies on almost solely on self-policing and operates with abandon. It's only when companies are able to be held financially liable for the negative consequences of malfunctioning (i.e. buggy) software that we'll see management giving software quality its true due. Today, most software development is driven by time to market issues. Being first seems (a lot) more important than operating correctly.
/ravi
|
|
|
|
|
Yea ok, from now on I'll just turn down all job offers for software that does something important.
|
|
|
|
|
Hmmmmm.... I have heard that debate before, and some of the things I found were like " (What)? were you thinking?"
There doesn't seem to be too much sense in this argument either. As always, there will be loopholes, and this particular debate is a complete minefield. Upon thinking, most (if not all) security-related arguments and debates are minefields. And open-source developers would be hit quite hard, unless the exemption mentioned in the article was put in place.
And yes, I agree that this would kill the industry.
Me "Just because you are an academic doesn't mean you are smart. Or have common sense. Or actually make sense."
I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image.
Stephen Hawking
|
|
|
|
|
|
It should be looked at from a case by case approach. If the developer has been told to implement security and they do not, then yes. If not, the blame needs to fall on other shoulders.
"Any sort of work in VB6 is bound to provide several WTF moments." - Christian Graus
|
|
|
|
|
Is that like suing lock makers who don't make locks 'lock pick proof' resulting in your house being robbed?
|
|
|
|
|
That's a good idea. Some time ago we had a burglary in the neighborhood. They didn't use the door but the window. Now, when thinking of this, perhaps the glass company should've been sued
|
|
|
|
|
There should be some liablity for software companies, but it should be limited and subject to an investigation and jury trial. I don't think hackers are preventable in every case and who is really responsible for the security failure may not be clear. For instance, if a software company used .Net and there is a security issue, it could take an active investigation to find out whether the software company or Microsoft caused the security failure. I also think there should be limited liability for freelance developers because otherwise it makes being freelance very difficult and almost impossible, thus killing many small or start up businesses. Developers working for a company should have some liability depending on their position and the nature of the breach, and again any criminal prosecution should require a jury trial. I do think that some software and institutions should be held to a higher standard and the nature of the breach is important. Banks should be 100% liable for any hacker emtpying any bank account and if they want to sue a software vendor for lack of security, that should be allowed but subject to a trial. Security is a complicated issue and breaches must be addressed on a case by case basis. Software companies need to be held accountable, but the businesses that use the software and even the customer is responsible for security too. Consumers and non-IT people should be taught that security is their problem too. Most breaches are inside jobs by employees that have access to passwords or caused by consumers failing to protect themselves. Even in the case of the bank account, the consumer could be responsible for the breach because they allowed their computer to be infected by a virus. It should never be assumed the computer security is only the coders job and responsibility! Finally, please keep in mind that sloppy coding is almost always, in my personal experience, the result of management not giving enough time or resources to do the project right!
|
|
|
|
|
Mika Wendelius wrote:
argues a Cambridge academic.
Well if that's the case then professors should be held liable for failure to properly train students in secure coding practices...
Common sense is admitting there is cause and effect and that you can exert some control over what you understand.
|
|
|
|
|
|
|
I doubt it's ever been the most popular. Most installed yes, popular... no.
|
|
|
|
|
|
Pete O'Hanlon wrote: I doubt it's ever been the most popular. Most installed yes, popular... no.
People vote with their wallet. Even Vista is more popular than the combined desktop-systems from Apple - and that's saying something
Bastard Programmer from Hell
if you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: Even Vista is more popular than the combined desktop-systems from Apple IMHO, that's because there are more Intel PCs sold than Macs, and not because Vista is more popular than OSX.
/ravi
|
|
|
|
|
Ravi Bhavnani wrote: IMHO, that's because there are more Intel PCs sold than Macs, and not because Vista is more popular than OSX.
Not so fast buddy;
There are more x86-based machines with Vista sold than there are hardware-machines with OSX. Meaning that even Vista on a x86 apparently offers a better alternative. (Even compared with a free competing OS on the x86 hardware)
|
|
|
|