Today I saw this article focusing on a statement made, at Secure London 2005, by Howard Schmidt. The statements included:
_
“In software development, we need to have personal quality assurances from developers that the code they write is secure”
“W_e need individual accountability from developers for end-to-end
solutions so we can go to them and say: ‘Is this completely secure?’ “
For the past 5 years I’ve been working on software systems that manage
and maintain data that is both sensitive and has had extremely high
requirements for calculation accuracy. Sure they’ve not been
systems which controlled aircraft, kept the pace set by pacemakers or
dispensed cash from ATMs,but all the same, the clients and the people
who’s data was being stored would have thought the system required
complete accuracy and security. When I’m working on any code I
pride myself in writing solidly and bug free. I take ownership in
both my code as well as the project as a whole. Not everyone does
and not everyone needs to go to that extent.
I’m having problems wrapping my head around what Mr. Schmidt
says. To me it sounds like he would like to find a way to hold
every developer personally liable for code that they have
written. I’m having problems with two things. Personal
liability and the code I have written. The problem I have with
the code I’ve written isn’t because I distrust it’s current
state. Au contraire, I stand by it firmly. My problem is
how do I even try to identify “my” code? Sure I wrote specific
lines of code in a project. That code then was debugged by a
different developer at some point and altered to change it’s
behaviour. Some time further down the road, that altered code was
refactored or added to when new functionality was required. So
now is that my code, is it the debugging developer’s code or does it
belong to the developer that refactored it? Let’s even make the
owner of the code more confusing. I write an entire module and
another developer extends the module with new functionality. Am I
the code owner of the module still? What about the situation
where the architect’s design the root of the security problem? Do
we still place responsibility for writing the code, as requested /
required, on the developer? What if the client has made a
ludicrous request resulting, that they can’t be talked out of, that
opens a security hole? What then?
What I’m getting at is that ownership of code doesn’t ever belong to
one individual. At best it belongs to the team. More likely
it belongs to the company or the client. Regardless it belongs to
the developer, the team, the company and the client a little
each. How can you assign liability to only one portion of a
collaborative process?
I believe that feeling responsibility and having pride in the code that
you write is very important. Enforcing or legislating this would
be impossible.