Developers 'should be liable' for security holes
Posted by jericho
http://news.zdnet.co.uk/software/developer/0,39020387,39228663,00.htm
Developers ‘should be liable’ for security holes Tom Espiner, ZDNet UK October 12, 2005, 12:15 BST
Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, former White House cybersecurity advisor, on Tuesday.
[..]
“In software development, we need to have personal quality assurances from developers that the code they write is secure,” said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.
[..]
Some vendors are stepping up.. wish the bigger ones would!
http://www.and.org/and-httpd/#secure-guarantee
Secure guarantee
In fact I’m so sure that it is secure that I’m offering a “security guarantee” of $500.
Obviously there are caveats:
so that an attacker can execute arbitrary commands or read/write arbitrary data. For instance DOS attacks aren’t included in the guarantee (although I’m pretty sure And-httpd is better than most in that regard the nature of network connected servers is that they are open to DOS attacks at some level). * I only guarantee against remote attackers, so anything in the configuration that couldn’t be expected to be put there by a “reasonable person who knows what they are doing” is not allowed (this is esp. true for information leak attacks, if it’s a configuration issue it’s not my problem). * You have to have the latest Vstr, socketpoll and timerq libraries installed. * The $500 is only available to the first person who provides a working attack (I’ll allow a couple of weeks for you to demonstrate something that works like an attack you describe).
…on the “positive” side:
…although, obviously, feel free to add those as extra security layers on your servers.