Featured White Papers

• What Developers Want: The End of Application Redeploys

Sponsored Links

• Career opportunities at Harman- Careers That’ll Rock Your Socks Off.

  Learn More!

• Developer-friendly Java PDF libraries by Qoppa Software

  Live Demos

• Stop blaming your app! Diagnose Java performance issues.

  Free tool >

• UrbanCode: Go From Continuous Integration to
  Continuous Delivery

  Learn More!

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Why should guilty coders pay?

Deep End blogger Paul Venezia responds to those who disagree with his position on making coders pay for high-cost bugs.

By Paul Venezia, InfoWorld, 07/18/11

Last week, I wrote a little ditty about why companies like Universal Music should be held accountable for poor code that allows millions of their users' real names, email addresses, and clear-text passwords to be distributed around the Internet. There was quite the reaction, with many people (presumably coders) yammering that this was the worst idea in the history of ever.

But I too am a developer. I've personally coded dozens of account-based Web applications, and not a single one ever stored a clear-text password. At the very least (back in the day), passwords were hashed during registration and simply matched upon login. I think it might have been 1998 when I wrote my first password-hashing function. And here we are, 13 years later and Universal Music can't be bothered to implement literally a few lines of code to at least obfuscate the sensitive information of their users. That's all it really is -- a few lines of code.

[ Also on InfoWorld: Neil McAllister's classic "Developer error: The most dangerous programming mistakes." | When he isn't stirring up trouble, Paul Venezia likes to explain all about server virtualization. ]

So now that the cat's out of the bag and all those accounts are floating around the Internet, why shouldn't they be held accountable for this negligence? Why should they escape any penalty whatsoever for such egregious corporate practices? I vehemently disagree.

In the United States, at least, very specific laws govern patient information and how it is stored, accessed, and disseminated. HIPAA regulations were put into place to ensure that sensitive patient information isn't distributed to just anyone -- that is, only to the people who need that information. They also prevent health care providers from discussing any type of patient information with anyone else. They were explicitly designed to protect patients, and each patient must sign a waiver to authorize the release of that information to another person or party. Yet we have no regulations on the storage, access, and dissemination of sensitive user information on public websites -- none. Thus, there's almost no business case for providing any form of high-level security for customer accounts.

Sure, many places implement significant security measures to protect their user's data, but that's because those developers and product managers actually have a clue or two. An army of ignorant managers and developers do not; they can barely produce functional products, much less functional and secure products. Those clueless people are the cheapest option when a company contracts out for application development -- often without any idea of what the code actually looks like, only that it functions. Rarely will a company that goes for the low bid on a contract spend extra for an independent security audit.

Yet when the public uses these apps, they have a significant level of trust. I mean, they already have an Amazon account, an eBay account, an account at their bank, and so on and so forth. They're all basically the same, right? And as many studies have shown, users often employ the same user name, email address, and password across the sites they frequent. That dumb move makes an individual's personal privacy and security as good as the weakest link among all those sites.

For more enterprise computing news, visit InfoWorld. Story copyright InfoWorld Media Group, Inc.