The below letter was written in response to a statement from Howard Schmidt, former White House cybersecurity advisor. He argued that software developers are solely responsible for security issues. My response, states that the company developing software needs to be held liable for defects.
As a professional software engineer, I strongly disagree with the stance that “Software developers should be held personally accountable for the security of the code they write”. My opinion is based on an engineering disaster that I studied when I was in college.
In 1986, the spaceship Challenger exploded, killing the astronauts that it carried. Upon investigation, it was found that the engineers who designed the faulty parts discovered the problem and notified management. The real fault for the Challenger disaster was miscommunication and an unwillingness to miss a launch date.
Negligent Software Developers are not the only cause of security holes. Inadequate testing, complicated development tools, lack of “proofreading” source code, poor user interfaces, and bad management also need to share the blame. For example, it is common in the software industry for management to set unrealistic development timelines, resulting in software is written quickly and shoddily.
With automobiles and baby strollers, the entire company is held liable for defects, not the engineers. Likewise, it is appropriate to hold software companies, not software developers, liable for security holes.