Should Developers be Accountable For Flaws?

Howard Schmidt, former White House cybersecurity advisor is quoted in an article suggesting just this. Like many politicians his comprehension of the real issues borders on ignorance. I am not advocating that software with security flaws is a good thing. In fact I would be the first to agree that developers need to do a better job (especially some developers). But asking developers to be accountable for the flaws is like asking the individual carpenters to be responsible for flaws in a house. It is the contractor's problem if something is wrong with the job. In the same way it is the software vendor's problem when something is flawed with a software product. Of course I could digress at this point into a big rant about software licensing and what does it mean to "own" software. I could also mention that in the open source model there is no vendor per se. But for the purposes of this particular blog entry let me just say that I disagree with Schmidt's premise.

However what is really needed is a good understanding of what security is when it relates to software and the internet. Just as you could not hold a contractor responsible if your house was robbed and you had left the doors open, there is a circumstance at which the accountability changes from the vendor to the owner or even to the criminal or hacker. After all, the party that is really to blame when a house is robbed is the thief.

So rather than assign blame for security flaws, I believe the best answers lie in better methods of finding the culprits and bringing them to justice.