In web security, what is the responsiblity of the developer when building a system?

Posted on 2007-10-02
Medium Priority
Last Modified: 2010-04-11
What is a developer responsible for when building a web security system?  Is he/she responsible for the quality of an existing system?  Is he/she responsible for implementing the request of a company, and if the request is flawed and someone breaks in, who is responsible?
Question by:swansonplace
LVL 23

Expert Comment

by:Erik Bjers
ID: 19997344
My opinion...

if he/she worked on or developed an existing system, then they may be partialy responsible for it, however the company that puts the web site up is ultimatly responsible for any content/ bugs in the site unless they can prove that the developer intentionaly left a hole open or some other flaw.  

Assisted Solution

nexissteve earned 400 total points
ID: 19997402
Depends on whether you are asking this question from a legal point of view, and if you are, the law is so different accross different parts of the globe that I wont even attempt to answer.

From an ethical point of view then the responsibility for security of an application MUST lie with the developer. Only the developer knows the code that he or she is cutting. An operating system flaw is a different issue.

Traditionally security was bolted on at the end of a project. These days it is imperative that the application have a security focus at the beginning before a line of code is cut.

A developer also has a responsibility to raise concerns with requests that cannot be completed securely.

Security is a way of thinking in todays environment, and the responsibility lies with all people on a project. From the code cutters through to implementation.

NOTE: Everything above this line is how I think it should work.

Reality - check the company policy where you are working. If nothing is stated then go with what you think is right but protect your self by sending the appropriate buttock covering e-mails.




Author Comment

ID: 19997808
I am a developer, and I have been requested to install the application security in a certain way.  The time given is about two days.  I am not the analysis, but in this case the coder; however, since it is being done so quickly, I have concerns which I have raised.  Any suggestions.  I need to cover my back any suggestions.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 23

Accepted Solution

Erik Bjers earned 800 total points
ID: 19997953
Present any concers you have in writing to the parties who hired you to do the work, if needed ask them to sign a copy acknoledging that they received it.  What ever you do you want a record of your concerns and that you presented them and only continued with the project once the people hiering you were aware of the risks... get everything in writing (and work with a lawyer).

LVL 18

Assisted Solution

PowerIT earned 800 total points
ID: 19998757
Similar to your other question: ultimately management is responsible. If you are an employee. Which does not say that you can not get fired, but then you always have that risks.
The situation is different when you are selfemployed and hired by that company (also for your other question): you are then your own management and could be responsible. So cover yourself well: document and have things signed off.
For details: get a specialized lawyer involved.


Author Comment

ID: 20062083
I ended doing a couple of things:
1. a form was signed which I was not aware of saying that the requesting company is responsible for all requests.
2. I sent a white paper along with the request to test that tells them all about security needs.
3. I am requesting a testing sign off.


Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question