It’s Our Party & We’ll Cry If We Want To…
Have you ever taken a moment to realize that the primary reason the information security industry even exists is because a noted lack of pedantic people both in the RFC world of the 1980s and the software engineering world up until the mid 1990s? Yes, there was actually a time where people did not consider the unexpected consequence of an unbounded strcpy(). Way back, when these people were focused on writing software and designing systems, they were unencumbered with the trappings of secure coding. I wonder if this period allowed people to be more free with their ideas and in turn make the incredible strides that fueled technology development.
The coding styles of the past are in stark contrast today, where even the least enlightened organizations have at least some sense that there are consequences for writing bad software. All low blows aside, I have a tough time writing any code without considering the myriad of side effects of even a small block of code. Back when I was first learning about programming, I wonder if I would have pursued it if I realized I was going to have to spend as much time being careful as I spent being creative. At this point, I begin to feel insincere, as the very industry that has kept me employed some seven years exists because people were not coding in incredibly pedantic circles.
This isn’t to say that software engineering efforts of years past were the best way to be productive and get things done. While we’ve been busy making a case for our own existence by releasing vulnerability advisories and developing new security products other segments of the software development industry have been coming up with ideas like Extreme Programming. Software is ubiquitous, which is a good thing because we’re no longer viewed as computer nerds when we tell someone what we do for a living. Somewhat unfortunately, by creating a vast unwashed mass that consumes software and doesn’t have to be at least this high to ride the software, we’ve skewed the public’s view of what software development really is.
Software development is both artistic and scientific. I like to refer to programming as craftsmanship. If you take pride in what you’re working on it shows. From the perspective of the security industry this also means that the security fitness of a piece of software is part of the craftsmanship. Writing secure code, whether considered ahead of time or an afterthought isn’t always the most natural way to write software. And, while we’ve spent time reminding everyone how important it is to do the right thing and taking the moral high ground we may have done ourselves a disservice. Referring back to the ubiquity of software, the lack of understanding of how software is created is not good for any of us.
I’ve read on in horror when I perused stories of proposed legislation that would require individual developers to be financially responsible for the fitness of software. For years I’ve looked forward to the day where two enormous companies would face off in the US courts to settle the debate on software liability. The case would last for years and bring even more attention to the security industry, which would be great. But, there’s always the possibility that the courts don’t agree with the plaintiff (in this case a detrimentally affected customer) and side with a software vendor. I’m sure Congress can grasp the idea that open source software development might simply stop of individual developers are held liable for their software. I don’t want individual authors to be held responsible either. But, part of me certainly would like for there to be fiscal liability for the manufacturers of software.
There’s an unfortunate dichotomy in arguing that point. If an individual author can sell or give away a piece of software that comes with a license that states the author makes no claim as to the fitness of said software, why shouldn’t a larger commercial entity be able to do the same thing? I have no idea how long it will take before such a question comes before a court. But before it does, I think that the security industry better have a very convincing answer prepared.