Here we have all these discussion of security, personal privacy and so on. The amount of bugs found in commercial and non-commercial software is steadily on the rise.
Do you feel safe and protected from adware and spyware when using your most preferred browser? Have second thoughts about RFID when walking through a store and seeing all the products with tags on them?
Well, this all leads us to the question to what happens when a bug is found. Who takes responsibility and why or why not.
Let's start with a real life example:
One of the senior programmers involved found out about it. He went to his direct superior and to the main tester.
Surprise, surprise! He was told it was not his job to actually search in the system for bugs. The programmer decided to fix the bug anyway, in his unpaid overtime.
Mind you we are talking about data stored on servers belonging to the Federal government. Servers locked up in rooms which are considered to be in secured areas. Access to some of them only with a biometric pass. And we all can imagine how bad it will be for any company or even worst the government when data they store can be so easily accessed.
Anyway, after the negative feedback he got the programmer decided not to try the system any further and investigate how much more he could infiltrate. Meaning, there might be even holes in the software bigger then the Grand Canyon and nobody knows about them or even cares to find out.
But wait a minute, it gets even worst. Once the fix was done and implemented for one of the versions he then informed every other lead programmer and the CTO about the vulnerability he found. He told them how important it was to get the software fixed. We are actually talking about adding one! additional function call to the logic checking the validity of a username/password. Less then a minute programmers work and less then a minute testing.
Ready for the next shock?
Here are the answers he got from
|Lead programmer A:||Not my responsibility.|
|Lead programmer B:||I am not getting paid to do that.|
|Director of development:||I don't care. Put it in when it works...|
|CTO:||As long as the customer does not find out about it we really don't have to fix it. Stop wasting time on finding bugs!|
Excuse me? As long as the customer doesn't know about it... Sounds like the tires which have not been recalled until the first deaths, right? Doesn't that make you feel really good?
Besides ethical issues there are a lot of concerns about the management style. Wouldn't you think that the management would have been pleased with one of their own finding out about it? Before it becomes public?
Whose responsibility is it? Of course all employees of the company in question! So what can you do to fix problems like that?
By the way, some versions never had the vulnerability fixed.
This Genius One Article is published here for the purpose of helping to improve your personal and organizational performances; designed to provide accurate and authoritative information in regard to the subject matter covered. If legal advice or other expert assistance is required, the services of a competent professional should be sought.
Please contact us directly if you need a word or pdf version of this article.