DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Enterprise AI Trend Report: Gain insights on ethical AI, MLOps, generative AI, large language models, and much more.

2024 Cloud survey: Share your insights on microservices, containers, K8s, CI/CD, and DevOps (+ enter a $750 raffle!) for our Trend Reports.

PostgreSQL: Learn about the open-source RDBMS' advanced capabilities, core components, common commands and functions, and general DBA tasks.

AI Automation Essentials. Check out the latest Refcard on all things AI automation, including model training, data security, and more.

Related

  • Remote Work Security Tips for Developers
  • What Is Compliance Monitoring for Remote Developers?
  • Fueling the Future: How Tech Funding Empowers IT Consultants in AI/ML and Cybersecurity
  • Unpacking the New National Cybersecurity Strategy: Key Takeaways for Developers and Security Experts

Trending

  • ChatGPT Code Smell [Comic]
  • Securing Cloud Storage Access: Approach to Limiting Document Access Attempts
  • Secure Your API With JWT: Kong OpenID Connect
  • Maximizing Developer Efficiency and Productivity in 2024: A Personal Toolkit
  1. DZone
  2. Culture and Methodologies
  3. Career Development
  4. Four Ways for Developers To Limit Liability as Software Liability Laws Seem Poised for Change

Four Ways for Developers To Limit Liability as Software Liability Laws Seem Poised for Change

After years of software security liability remaining an open question, changes to the law could be on the way. Here's how to prepare for them in case they come.

By 
Philip Piletic user avatar
Philip Piletic
DZone Core CORE ·
Sep. 19, 23 · Opinion
Like (3)
Save
Tweet
Share
3.7K Views

Join the DZone community and get the full member experience.

Join For Free

For many years, the idea of liability for defects in software code fell into a gray area. You can find debate about the topic going back and forth since at least the early 1990s. Throughout, software developers argued that they shouldn't be held liable for coding flaws that are both difficult to detect and sometimes even harder to fix. And in any case, knowingly exploiting software defects for nefarious purposes is a crime already — so shouldn't cyber criminals alone bear the responsibility for their actions? As a result of these arguments, there haven't been any serious attempts to pass legislation making developers liable for flaws in their code. And for even more ironclad protection, most software developers also include liability waivers in their EULAs.

However, there's reason to believe that the winds surrounding this issue are beginning to shift. As a result of high-level policy reviews originating in the White House, multiple federal agencies, including the NSA, FBI, and CISA, are now calling for developers to develop workflows that make their software products secure by design and by default. And if that's the stance the US's top law enforcement agencies are going to take from now on, it's reasonable to assume that some kind of regulatory or statutory changes to that effect may soon follow.

The mere suggestion of such changes, however, should be enough to spur the most sensible software developers into taking action. The good news is that it shouldn't be difficult for most to cover their bases with respect to software liability. To get them started, here are four steps developers can take right now to guard against potential changes to software liability laws.

Build Security Checks Into Software Pipelines

The first thing to do to head off software liability concerns is to create security checkpoints throughout your development processes. This should begin with thorough code review and certification processes for all repurposed code. This is essential since most software developers now rely on reused open-source code or on self-created code libraries that speed up the development of new software. But as the recent Log4j security incident demonstrated, reused code can introduce vulnerabilities into new software that come back to haunt you. So, it's a good idea to formalize a process whereby you can attest to the security of all reused code — both internally developed and otherwise — before it makes it into production software.

Then, it's a good idea to make extensive use of source code security analyzers throughout the development process. This can make it more likely to identify security issues early on while they're still relatively easy to fix. It can also serve as evidence of your efforts at secure code development, should questions arise after a finished product release.

Commit to 3rd-Party Pre-Release Code Security Audits

The next thing to do to guard against potential software liability concerns is to commit to having all software products go through a 3rd-party code security audit prior to release. This provides yet another opportunity to fix security flaws before they can cause liability issues. Plus, it guarantees that an expert, neutral set of eyes goes over your work before it ships. That can help to combat the kind of vulnerability blindness that often afflicts development teams who become accustomed to reviewing their own work. It can also reassure customers that no efforts were spared to put their security front and center in the development process.

Provide Adequate Customer Support

In recognition of the fact that no software is ever bulletproof, it's a good idea to develop a plan to support customers in the event they're affected by a security issue in one of your software products. For business customers, this might extend to providing direct and/or contracted technical support to aid recovery efforts after a security incident. Of course, you can only take such efforts so far due to the costs involved, but being there for an affected customer could head off any attempts to hold you liable.

For individual customers, it's also smart to partner with an identity protection firm to have them ready to assist if your software suffers a security issue that might lead to identity theft. According to Hari Ravichandran, CEO of Aura, "Competent identity fraud prevention can be an inexpensive way to prevent users from suffering financial losses in the first place. It's a great way to limit liability in the aftermath of a software or data breach."

Purchase the Right Liability Insurance

Even if you go to great lengths to find and fix every bug and potential security flaw, it's always possible for something to go overlooked. As a result, it's a good idea to come up with a liability risk management plan that includes proper insurance coverage. This is essential because, although there aren't any specific laws or regulations making software developers liable for losses stemming from the use of their products, general product liability laws can and do get applied to developers on occasion.

The good news is that the preceding secure code development practices should go a long way to proving good faith in any potential liability case. However, there's no way to eliminate the risk of losses stemming from even a frivolous lawsuit. Therefore, to protect yourself, it's a good idea to carry errors and omissions (E&O) insurance and a general product liability insurance policy at the very least.

The Takeaway

The bottom line is that it's just a good idea for software developers to get their code security ducks in a row now to prepare for any coming shifts in software liability law. Plus, they should develop plans to deal with the aftermath of a security event involving their software now. That way, whether there's any change to the existing liability status quo or not, they'll be ready to handle any potential outcome.

security career

Opinions expressed by DZone contributors are their own.

Related

  • Remote Work Security Tips for Developers
  • What Is Compliance Monitoring for Remote Developers?
  • Fueling the Future: How Tech Funding Empowers IT Consultants in AI/ML and Cybersecurity
  • Unpacking the New National Cybersecurity Strategy: Key Takeaways for Developers and Security Experts

Partner Resources


Comments

ABOUT US

  • About DZone
  • Send feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: