aWalrus's Journal: The Software Developer Responsibility

From my latest entry at the Overcaffeinated Site (not technical):

Securing Code is hard. Despite the image of coolness and glamour that Hollywood has presented to us for quite some time, the actual task of programming decent, secure code (or breaking half-assed, insecure code, for that matter), involves a lot of late night-coding, documenting and is generally seen as a low priority in project planning. Recently, this field got a lot of attention through a major shakedown: The Blaster worm propagated wildly and hit a rather large bunch of computer systems Worldwide.

Now, Computer Security is a touchy area. Although not everyone is expected to keep up to date with the latest news in bugtraq or closely monitor all security patches released by Redmond, we techno-geeks were able, up until now, to attribute most of the security related problems to the interface between the chair and the computer. That is, The User. Most virii (the Kournikova virus comes to mind) require some sort of action by the dim witted user in order to spread. We all know how that works: You receive an attachment promising to show you the boobs of * insert hot actress here * in full, glorious detail. You just have to double click on the harmlessFileNotAVirus.exe file, and you're set!

Well, not this time. Connected to the interweb? -- you're vulnerable. Running any version of Windows? -- you're vulnerable (although the worm only attacked win2000 and XP, all versions have the vulnerability). Using the default color scheme in Windows XP? -- you're vulnerable (well, not really, but it's so fucking ugly you should change it just to be on the safe side). As computers all over the world scanned port 135 in a colossal game of tag, we could just patch and watch in disbelief as coworkers running unpatched machines started screaming that the freaking thing had hit them. Before I knew what the payload was, I called home and warned my family not to connect to the internet (yes, my home computer was unpatched -- I'll live in shame until I commit seppuku to cleanse my honor).

While technically the damned Blaster thing was a worm and not a virus, it did have the ability to install arbitrary software on a home user's computer. THAT IS BAD.

Without getting into the technical details of this, I think this event should mark a change in the perception software developers must have about our own work. It's about time we stopped making half-assed excuses and blaming the users for our lack of foresight. It's about time we started demanding security checks to be accounted for in the planning stages of our projects. The cries of But there will always be insecure software! should be met with Only if we keep writing it!. You hear me, fellow developers! Take the reins of your destiny and bitchslap the damn thing! Cleanse the Bugs! Tame the Gotos! Free the Mallocs! Get fucking jiggy with it!!!

Out now.