Vendors, not developers, to blame for poor code

Computer security expert Bruce Schneier has waded into a debate raging in cyberspace over who is actually to blame for the security flaws that result from poorly coded software.

Last week Howard Schmidt, the former White House cybersecurity advisor, argued at a seminar in London that programmers should be held responsible for flaws in code they write. "In software development, we need to have personal quality assurances from developers that the code they write is secure," he said.

Schmidt's argument outraged large swathes of software developers, including readers of ZDNet UK and tech luminaries such as Bruce Schneier. The chief technology officer of Counterpane Internet Security, Wired columnist and security guru, took issue with Schmidt, arguing that the issue lay with the companies selling the software and not with the developers.

Software companies are in the business of making a profit, Schneier argued, and "they try to balance the costs of more-secure software ? extra developers, fewer features, longer time to market ?against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales".

The result, Schneier argues, is "lousy software". Companies find money to "weather the occasional press storm" rather than to "design security right from the beginning".

"The end result is that insecure software is common," argued Schneier. "But because users, not software manufacturers, pay the price, nothing improves. Making software manufacturers liable fixes this externality".

Many ZDNet UK readers seem to agree with Schneier, and put the blame for security problems squarely with the vendors selling the software.

The results of a ZDNet UK online poll, which attracted more than a 1000 respondents, showed that 53 percent of readers who replied felt that the blame lies with vendors. Of the rest, 40 percent said that no-one is to blame and just six percent said software programmers were at fault..

As far as Schneier is concerned, "computer security isn't a technological problem ?it's an economic problem".