In web security, what is the responsiblity of the developer when building a system?

Posted on 2007-10-02
Last Modified: 2010-04-11
What is a developer responsible for when building a web security system?  Is he/she responsible for the quality of an existing system?  Is he/she responsible for implementing the request of a company, and if the request is flawed and someone breaks in, who is responsible?
Question by:swansonplace
    LVL 23

    Expert Comment

    by:Erik Bjers
    My opinion...

    if he/she worked on or developed an existing system, then they may be partialy responsible for it, however the company that puts the web site up is ultimatly responsible for any content/ bugs in the site unless they can prove that the developer intentionaly left a hole open or some other flaw.  
    LVL 6

    Assisted Solution

    Depends on whether you are asking this question from a legal point of view, and if you are, the law is so different accross different parts of the globe that I wont even attempt to answer.

    From an ethical point of view then the responsibility for security of an application MUST lie with the developer. Only the developer knows the code that he or she is cutting. An operating system flaw is a different issue.

    Traditionally security was bolted on at the end of a project. These days it is imperative that the application have a security focus at the beginning before a line of code is cut.

    A developer also has a responsibility to raise concerns with requests that cannot be completed securely.

    Security is a way of thinking in todays environment, and the responsibility lies with all people on a project. From the code cutters through to implementation.

    NOTE: Everything above this line is how I think it should work.

    Reality - check the company policy where you are working. If nothing is stated then go with what you think is right but protect your self by sending the appropriate buttock covering e-mails.




    Author Comment

    I am a developer, and I have been requested to install the application security in a certain way.  The time given is about two days.  I am not the analysis, but in this case the coder; however, since it is being done so quickly, I have concerns which I have raised.  Any suggestions.  I need to cover my back any suggestions.
    LVL 23

    Accepted Solution

    Present any concers you have in writing to the parties who hired you to do the work, if needed ask them to sign a copy acknoledging that they received it.  What ever you do you want a record of your concerns and that you presented them and only continued with the project once the people hiering you were aware of the risks... get everything in writing (and work with a lawyer).

    LVL 18

    Assisted Solution

    Similar to your other question: ultimately management is responsible. If you are an employee. Which does not say that you can not get fired, but then you always have that risks.
    The situation is different when you are selfemployed and hired by that company (also for your other question): you are then your own management and could be responsible. So cover yourself well: document and have things signed off.
    For details: get a specialized lawyer involved.


    Author Comment

    I ended doing a couple of things:
    1. a form was signed which I was not aware of saying that the requesting company is responsible for all requests.
    2. I sent a white paper along with the request to test that tells them all about security needs.
    3. I am requesting a testing sign off.


    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now