This just got pointed out to me this morning.

I did the poll as well and as of right now 4.7% of the people who voted agree with the author; 51.5% believe it is up to the Vendor.  Duh!

Why on earth someone would want to place so much responsibility on a developer is beyond me.  Personally I would rather think it is the solution/security architects' role to handle the end to end security of an application, and ultimately the management of that organization.  Management has to ensure that their product meets their expectations and needs including details such as these.  It is up to them to put the methods and processes in place to ensure that these concerns defined and are met otherwise you will get stupid mistakes like the one mentioned in the article.

Failing to Plan is like Planning to Fail.

2 Comments

• Jerry Pisk said Wednesday, October 12, 2005 10:28:00 AM

  Hehe, in all comoanies I worked for developers don't have much of a say in how things are done. Management routinely overrides developers' decisions, putting in security holes. So developers will be forced to make a decision - get fired or get sued. Is it that difficult to see what this would do - move all the remaining technical jobs offshore.

• Tim Marman said Thursday, October 13, 2005 5:36:00 AM

  I don't know - this guy may be an idiot but I agree with him on one point - software manufacturers should assume liability for poorly constructed products just as "real" manufacturers do.
  
  His discussion may be moot though. It's generally not the individuals that assume liability (we're not dealing with SOX here) but rather the corporate entities involved (for all of the reasons you guys outlined above).
  
  Now if it's one guy sitting in his basement, then sure, they're one in the same.