If you are a programmer of an app, with potential (costly) ramifications if the security of the app is compromised, are you responsible if anything goes wrong (e.g data is leaked)?
Does it depend on whether you are the manager of the project?
+2
A:
That will depend entirely on the legal jurisdiction, contract between you and the customer (and any intermediaries, such as an employer, if you're not doing this as an individual).
This is why most EULAs state that there is no warranty, etc.
Rowland Shaw
2009-08-26 07:44:10
+5
A:
Morally, you are. Legally, you usually aren't. Watch out what you sign, however.
Joonas Pulakka
2009-08-26 07:46:16
+2
A:
From project manager point of view i would say that it is programmers fault if security is compromised, since project manager area of expertise does not necessarily lie in programming or programming security. The programer should be experienced enough to know such things if he decides to take on such a task or at least educate himself.
As i see, the things like security leaks happen often because of bugs, bugs that could have been found with thorough testing. Fact is that if it is one person job - the person who programs is also the manager - one person cannot think of anything and the chance that you screw up is even bigger. But in the end what counts is the legal contract.
Zayatzz
2009-08-26 07:46:53
+1
A:
The key idea is to have so much people involved in the project (Managers, programmers, testers) so that responsibility will get so diffused that no one could actually be fully blamed :)
shoosh
2009-08-26 07:52:15
+5
A:
If you're ever in this position as a programmer - costly ramifications is an app has a security flaw - you should explicitly have a security breach plan. Get it in writing. Talk about who loses jobs.
I say this for two reasons. One, because it's true - everyone should do this. And two, if everyone knew precisely the employment results of a breach, people will code more securely.
And one last point - if there are big ramifications, security should never be one person's responsibility.
Vince
2009-08-26 07:52:41
Your "one last point" is arguably the most important of them all.
Dave Sherohman
2009-08-26 09:43:37
I agree with @dave. Your 'one last point' is the most important one.
ryanprayogo
2010-01-20 15:49:01
A:
No, that responsibility would be on your QA department. For really sensitive applications, they should get a third-party certification that guarantees the integrity of your application, or at least makes a thorough report on how and why it might fail.
Christoffer
2009-08-26 08:04:57
A:
In some organizations there are teams with people specializing in security inspections of applications from different perspectives
...- And for those org's that do not have such teams - the concept of security needs to be upfront as a goal highlighted from the inception of project . If it is not existing as a milestone - then neither the programmer nor the manager will take the initiative to implement it (It's often the last thing in the priority list often - because of time constraints , the last to be taken care of - though important).
techzen
2009-08-26 08:59:25