A proposal would hold vendors liable for bugs:
SANS’ newly released Top 25 list of common programming flaws came with a little legal muscle, too, with representatives from SANs, Mitre, the U.S. Department of Homeland Security, the National Security Agency, and other organizations pushing for custom software developers to be held liable for insecure code they write.
Experts from more than 30 U.S. and international organizations, including OWASP, Microsoft, Apple, EMC, Oracle, McAfee, and Symantec, contributed to the CWE/SANS Top 25 list. And procurement experts from some of the organizations are recommending standard contract language for procurements that would ensure buyers aren’t held liable for software that contains security flaws. “Wherever a commercial entity or government agency asks someone to write software for them, there is now a way they can begin to make the suppliers of that software accountable for [security] problems,” says Alan Paller, director of research for the SANS Institute.
Paller says the contract language would be based in part on a draft in the works by the State of New York (PDF) that refers to the SANS Top 25 and would make the state’s custom-software vendors contractually bound to provide apps that are free of those bugs. Paller says although there is “no formal agreement on the language” among the group at this point, it’s focused on the section of New York’s proposed contract language that reads: “the Vendor shall, at a minimum, conduct a threat assessment and analysis of vulnerability information, including the current list of SANS 25 Most Dangerous Programming Errors; provide the Purchaser with a written report as soon as possible after a vulnerability, threat, or risk has been identified.”
Well, within the context of the job, QA management is always on the hook. Any bugs that get through reflect poorly on QA (as they do on the whole organization, but I always internalize it because I’m that way).
However, when I read something like this, I get a little skittish and recollect sitting in a sexual harassment seminar given to all department heads and learning that I, personally, was on the hook as a potential plaintiff if one of my minions made a hostile-in-the-sexual-way environment (hostile-in-the-QA-way environments are standard). I am sure I paled a bit learning someone could get my house. I mean, I had a Canadian on staff, and you know what that means (the man was born in Canada).
I’m probably a little worried for something that probably won’t come to pass. A little liability and being required to fix problems is good. That fear can help make some better software. How the torts shake out, though, that remains to be seen.