Whose responsibility is it anyway?
© Copyright Frank D. Kanu 2000-2008
Here we have all these discussion of security, personal privacy and so on. The amount of bugs found in commercial and non-commercial software is steadily on the rise.
Do you feel safe and protected from adware and spyware when using your most preferred browser? Have second thoughts about RFID when walking through a store and seeing all the products with tags on them?
Well, this all leads us to the question to what happens when a bug is found. Who takes responsibility and why or why not.
Let’s start with a real life example:
One of the senior programmers involved found out about it. He went to his direct superior and to the main tester.
Surprise, surprise! He was told it was not his job to actually search in the system for bugs. The programmer decided to fix the bug anyway, in his unpaid overtime.
Mind you we are talking about data stored on servers belonging to the Federal government. Servers locked up in rooms which are considered to be in secured areas. Access to some of them only with a biometric pass. And we all can imagine how bad it will be for any company or even worst the government when data they store can be so easily accessed.
Anyway, after the negative feedback he got the programmer decided not to try the system any further and investigate how much more he could infiltrate. Meaning, there might be even holes in the software bigger then the Grand Canyon and nobody knows about them or even cares to find out.
But wait a minute, it gets even worst. Once the fix was done and implemented for one of the versions he then informed every other lead programmer and the CTO about the vulnerability he found. He told them how important it was to get the software fixed. We are actually talking about adding one! additional function call to the logic checking the validity of a username/password. Less then a minute programmers work and less then a minute testing.
Ready for the next shock?
Here are the answers he got from
Excuse me? As long as the customer doesn’t know about it… Sounds like the tires which have not been recalled until the first deaths, right? Doesn’t that make you feel really good?
Besides ethical issues there are a lot of concerns about the management style. Wouldn’t you think that the management would have been pleased with one of their own finding out about it? Before it becomes public?
Whose responsibility is it? Of course all employees of the company in question! So what can you do to fix problems like that?
By the way, some versions never had the vulnerability fixed.
Technorati (All Links are external): adware belonging biometric bugs cares commercial software cto customers need doesnt know employments ethical issues exception excuse me federal government servers feel safe freely function call grand canyon holes i dont care infiltrate initiative locked up management style mistakes negative feedback one of their own personal data personal privacy preferred browser priority product testing programmer programmers rfid script kiddie second thoughts security matters software package spyware sql command sql injection ssn stop wasting time surprise surprise tires true condition unpaid overtime validity vulnerability wait a minute web interface business it
Here we have all these discussion of security, personal privacy and so on. The amount of bugs found in commercial and non-commercial software is steadily on the rise.
Do you feel safe and protected from adware and spyware when using your most preferred browser? Have second thoughts about RFID when walking through a store and seeing all the products with tags on them?
Well, this all leads us to the question to what happens when a bug is found. Who takes responsibility and why or why not.
Let’s start with a real life example:
- There is this software package mainly used from Federal agencies. It has a web interface—freely accessible from everywhere all over the world. As a user you create a login with user id and password and then you start adding personal data, like your complete address, SSN and also information like education, employments and such. Sensible data, wouldn’t you agree?
The login was vulnerable to the SQL injection—something every script kiddie could easily find on the internet. In case you are wondering—instead of a password you write a valid SQL command with an always true condition.
Why is that so bad? Without knowing any login you were able to get into the system and see the data of one real user. All the data without an exception.
One of the senior programmers involved found out about it. He went to his direct superior and to the main tester.
Surprise, surprise! He was told it was not his job to actually search in the system for bugs. The programmer decided to fix the bug anyway, in his unpaid overtime.
Mind you we are talking about data stored on servers belonging to the Federal government. Servers locked up in rooms which are considered to be in secured areas. Access to some of them only with a biometric pass. And we all can imagine how bad it will be for any company or even worst the government when data they store can be so easily accessed.
Anyway, after the negative feedback he got the programmer decided not to try the system any further and investigate how much more he could infiltrate. Meaning, there might be even holes in the software bigger then the Grand Canyon and nobody knows about them or even cares to find out.
But wait a minute, it gets even worst. Once the fix was done and implemented for one of the versions he then informed every other lead programmer and the CTO about the vulnerability he found. He told them how important it was to get the software fixed. We are actually talking about adding one! additional function call to the logic checking the validity of a username/password. Less then a minute programmers work and less then a minute testing.
Ready for the next shock?
Here are the answers he got from
| Lead programmer A: | Not my responsibility. | |
| Lead programmer B: | I am not getting paid to do that. | |
| Director of development: | I don’t care. Put it in when it works… | |
| CTO: | As long as the customer does not find out about it we really don’t have to fix it. Stop wasting time on finding bugs! |
Excuse me? As long as the customer doesn’t know about it… Sounds like the tires which have not been recalled until the first deaths, right? Doesn’t that make you feel really good?
Besides ethical issues there are a lot of concerns about the management style. Wouldn’t you think that the management would have been pleased with one of their own finding out about it? Before it becomes public?
Whose responsibility is it? Of course all employees of the company in question! So what can you do to fix problems like that?
- Increase the amount of product testing
- Train your employees on ethical behavior.
- Improve the communication inside and between teams.
- Increase sensibility for security matters.
- Make the customers need a number one priority.
- Be honest about mistakes and fix them as soon as possible.
- Encourage employees to take initiative.
By the way, some versions never had the vulnerability fixed.
Tags:
adware belonging biometric bugs cares commercial software cto customers need doesnt know employments ethical issues exception excuse me federal government servers feel safe freely function call grand canyon holes i dont care infiltrate initiative locked up management style mistakes negative feedback one of their own personal data personal privacy preferred browser priority product testing programmer programmers rfid script kiddie second thoughts security matters software package spyware sql command sql injection ssn stop wasting time surprise surprise tires true condition unpaid overtime validity vulnerability wait a minute web interfaceTechnorati (All Links are external): adware belonging biometric bugs cares commercial software cto customers need doesnt know employments ethical issues exception excuse me federal government servers feel safe freely function call grand canyon holes i dont care infiltrate initiative locked up management style mistakes negative feedback one of their own personal data personal privacy preferred browser priority product testing programmer programmers rfid script kiddie second thoughts security matters software package spyware sql command sql injection ssn stop wasting time surprise surprise tires true condition unpaid overtime validity vulnerability wait a minute web interface business it
This blog-entry is protected by a digital fingerprint:785273ed81985582c8a1be62f78c9459
