|
Unsafe Code: Regulation and Responsibility |
|
|
|
Tuesday, 21 October 2003 |
If a bridge collapses, someone ends up in court. When car parts are defective, they are recalled. When flaws are found in software and exploited, the worst outcome for the software maker is a little bad publicity.
Bruce Schneier has often criticized Microsoft for treating security like a public relations problem and this is exactly why. From a business standpoint, that's exactly what it is. Only now is the weight of security flaws and the worms and other nastiness that result from them starting to present a potential threat to the bottom line. Consumers (mostly business consumers) are feeling the pain enough to consider switching to substitute products.
There is a real divergence in the costs incurred to the users of these products and the liability of the producers. Worms exploiting these flaws do real damage. Lives aren't lost, but data, productivity and time is.
Every time a new vulnerability is discovered every IT guy becomes a patch fairy rushing to sprinkle magic patching dust on every computer in sight. With each new flaw the burden grows - a fresh install of Windows XP requires 41 critical updates these days.
This leads to the pragmatic question of how to clean up the mess. Do you force patches onto people's computers and run the risk of regression errors? Do you require all computers to be certified safe before being allowed on the network? Install firewalls on every machine? Put Intrusion Detection Systems at every turn?
All the practical considerations aside, a more philosophical emerges - flawed software is written and released every day, should someone be liable for these flaws?
A class action lawsuit was recenlty filed against Microsoft seeking damages resulting from the exploitation of flaws in Windows. This is a case of real damage. The plantiffs computer was taken over, personal information pilfered, financial accounts sweeped clean, and life seriously disrupted. The potential implications of the findings in this case are enormous.
If someone should be liable for flawed software, then who? The company, the software engineer, the systems administrator who installed it? And how does all this apply to open source software?
In the current setting product liability just doesn't make sense. There are no software equivaelents to building codes, Generally Accepted Accounting Practices, or a code of ethics. As several people I've discussed this topic with have pointed out, it's impossible to characterize a company or individual as irresponsible when there's no definition of responsible practices. Imagine a building inspector trying to certify a building as safe without any building codes. It degrades into a matter of opinion and debate.
This is something Steve McConnell prognosticated in his book, After the Gold Rush (opps, just noticed a second edition of the book, Professional Software Development, is now available). The severity and scope of security problems are accelerating the shift of software creation toward an engineering discipline. Already, books like Writing Secure Code are taking a stab at classifying and identifying unsafe software creation practices.
There remains one characteristic of software creation that leaves me uneasy with standard engineering training, regulataion, and responsibility as a cure all - software is both the plan and the product all in one. I can dream up all the dangerous and unsafe bridges I want, but those plans aren't going to hurt anyone unless I actually build them. If I dream up a new concept for a virus, or even something as innocent as yet another implementation of solitaire, the plans and the product are one. The only difference between source code and a compiled product is the little bit of entropy adding to the heat death of the universe by running it through a compiler.
I think I'll save further exploration of this idea for another day.
Powered by AkoComment 2.0! and SecurityImage 3.0.4 |
