Will Security Task Force Affect OSS Acceptance?

An anonymous reader writes "An interesting article published by SD Times: "Application Security Goes National" discusses some of the talking points generated by a federal task force that will make recommendations to the Department of Homeland Security. One of these talking points is to license software developers and make them accountable for security breaches. Licensed developers would get paid more as well. The article also mentions that "Executives" might not wish to work with smaller undiciplined partners and a little further down that "Hobbyists create Web services [and] professionals create them" and that "companies relying on critical infrastructure Web services need confidence". Would OSS have to be writen entirely by licensed developers to be considered secure? . Yahoo Finance has another article on the subject." The SD Times article is current, despite the incorrect date on it.

Re:Good concept, illegal in practice

[Aviancer]

It's notable that the State does not license the professional, but the Bar Assn (for lawyers) and the Medical Board (for MD/RN/Etc). States (not the US Gov't) make laws that require the professionals to be licensed by an authority.

Re:Do they not get it?

[the_2nd_coming]

yeah...is is called Software Engineering.

very few commercial software applications use correct software engineering techniques which is why so many bugs are in the software. medical equipment and air craft equipment and car equipment is tested. re tested and run through all the engineering processes in order to make it bullet proof.

real software engineering is not profitable with out making software cost a bloat load more than it does.

Re:Paraphrase of John Milton

[breadbot]

I believe the word license in this sense is:

3 a : freedom that allows or is used with irresponsibility b : disregard for standards of personal conduct : LICENTIOUSNESS

(from Webster's [webster.com])

Implying that non-good men love the opportunity to act irresponsibly, which is what freedom offers them.

EAL Certification

[omnirealm]

Let us not forget that the IBM Linux Technology Center has certified a Linux distribution (SLES 8) under the Common Criteria Evaluation Assurance Level 2, and they are currently working on EAL 3. This qualifies a Linux distro, composed largely of Open Source software, to take part in bids on certain security-sensitive government contracts. This sounds just like the kind of assurance that this security task force is looking for.

Re:Do they not get it?

[ergo98]

Do they really believe that licensing software developers will lead to more secure software?

Most licensing advocates propose licensing as some sort of magical solution that will do everything from improving security, speeding development, improving estimates, lowering bug counts, etc. The trouble is that they never provide any metrics or actual examples to back this up. It'll just happen, apparently.

I say this with interest as I'm currently reading the book "Professional Software Development", a book by an author that I otherwise think is fabulous -- Steve C McConnell (of "Rapid Development" fame). This book basically goes on and on about the disasters in software development, and continually pushes the idea of licensing as a magical fix-all. Never, at least from what I've seen, does it show an example of where a licensing simile improved software development in any way, but simply holds up failures in the cutting edge world of software development and implies that with licensing it would all go away. To say that this is weak and unreasoned wouldn't be an overstatement.

Code audits, and code certification by external auditors of any system critical software is reasonable to me. Software team and organizational standards to improve productivity and estimates seem reasonable to me. Holding organizations responsible for software that they release, for factors stipulated as important (i.e. security for certain pieces of software) seems reasonable to me. Getting large internet peers to have proactive measures to deal with trojans and worms seems reasonable (i.e. shutting down DDOS zombie connections).

Licensing software developers as some sort of illusion of improving software is not reasonable. Enforcing a universally high level of security for all software and eliminating the markets choice to weight security with all other purchasing factors (the market knows that Microsoft software has a long history of security exploits, but strangely they still buy and install it) is not reasonable.

Licensing is protectionism and "barrier to entry" under another name. How hilarious that this would be proposed under the auspices of the "Anything goes free for all" that is Homeland Security.

Professionals system do work.

[twrake]

OSS has no problem with professional certification you get the source, review it, test it and certify it to a grade. The professional would do this or sign off. For closed source the process is the same except you don't have the source or your rely on the vendors professional certification.

I worked summers in an Architectural/Engineering firm before I got my degree for Computer Engineeering in 1979. The real way these firms worked at that time is that the Professionals (Registered Architects and Proffessionsal Engineers) supervised and sign off on the the work that was done by EITs (Engineers in Training - a degress but not yet passed the state boards) and Draftsmen and other technical people. This model can be used for software/hardware as well. There has been little demand or call for a state certified need for computer professionals in the last 24 years largely because the sales force said all the bugs will be fixed in the next "Gotta have" version.

Our social problem is the adoption of CPUs and related software to critical tasks in our society without review or certification for the tasks in a largely sales driven market. Having professionals review installed products would likely trim features and consider whole systems analysis of the effect of additions and changes. In the end this is a good thing because the professional at the install point can specifiy the grade and if the vendor fails he doesn't the the business.

The last point is that the State is responsible for the approval of the Professionals - so in effect the State is taking the work of people it has approved to be and act as Professionals.

In the end this just means a review of some level of quality on the software or hardware installed. We just don't take the word of the vendor.