Will liability change everything?

image Some software application bug must have really pissed of Commissioners Viviane Reding and Meglena Kuneva as they want software developers to be held liable for the security and efficacy of their product.

Alen Cox, one of the leading Linux kernel developers argues against the liability. “Closed-source companies could not be held liable for their code because of the effect this would have on third-party vendor relationships”

Bruce Schneier has a really good article about the commercial effect of liability. In short the commercial cost of fixing your bugs is not as economic (they never heard of Typemock) as adding a new feature, but having a liability law will change this cost and force more CEO’s to spend more money on the quality of their code.

"We’re making software as secure as we possibly can. People don’t look at window-lock makers for the responsibility for burglary — the responsibility tends to rest with perpetrators," said Jerry Fishenden Microsoft’s national technology officer

Are we doing the best we can?

So, are we doing the best we possibly can? Should software developers be liable when they are sloppy and non professional. A doctor is liable if he makes a mistake, we should be liable if we are sloppy?

As an industry we still have a long way to reach the standards that we already have in specific markets, MISRA, DO-178B, PCI, Sarbanes-Oxley and FDA’s medical device standard. Should the software industry create or adopt a standard to draw the line of liability?

If we did have this standard, what would you say would be the minimum required actions that we have to do, to be exempt from liability? What would define a professional vs a sloppy developer.

  1. Do we first define ‘sloppy’ developer? Sloppy could mean lazy or could mean petulant, it could mean differnt things to different people. Some developers believe in TDD and unit testing, some don’t. Some developers can write code with out any or few bugs with no unit tests. Code with even the greatest unit test and code coverage stats can still have bugs (business logic erros and non testable areas cheif amongst them). A developer can still care about what they do but not believe in unit tests and that does not make them a sloppy, lazy or even a bad developer. What makes a bad developer is one that does not care about what they do and I doubt that such a developer really exists. What prehaps needs to happen is for our industry to develop quality standards based on measureable stats, unit tests, code coverage, exposure of tests over rules and business process (such as BDD and FIT say). The measures of test between unit to integration to functional to system test is often lost in the translation and our industry could very well develop standards that show that this takes effect. If our industry can then show this quality control takes effect in products as say a kite mark then this would give the consumer the convidence.

  2. True,
    Lets define a sloppy doctor, he could be a doctor that has a different understanding of how to cure people, he might believe in a specific procedure or not, I am sure that he cares about what he does. That (the caring), does not exempt the doctor from liability if he make a mistake. A mistake is being sloppy, not performing the correct action. So what are the actions that a *software developer* has to perform to be except from liability.

Add Comment

Required fields are marked *. Your email address will not be published.