For many years, the idea of liability for defects in software code fell into a gray area. You can find debate about the topic going back and forth since at least the early 1990s. Throughout, software developers argued that they shouldn’t be held liable for coding flaws that are both difficult to detect and sometimes even harder to fix. And in any case, knowingly exploiting software defects for nefarious purposes is a crime already — so shouldn’t cyber criminals alone bear the responsibility for their actions? As a result of these arguments, there haven’t been any serious attempts to pass legislation making developers liable for flaws in their code. And for even more ironclad protection, most software developers also include liability waivers in their EULAs.
However, there’s reason to believe that the winds surrounding this issue are beginning to shift. As a result of high-level policy reviews originating in the White House, multiple federal agencies, including the NSA, FBI, and CISA, are now calling for developers to develop workflows that make their software products secure by design and by default. And if that’s the stance the US’s top law enforcement agencies are going to take from now on, it’s reasonable to assume that some kind of regulatory or statutory changes to that effect may soon follow.
The mere suggestion of such changes, however, should be enough to spur the most sensible software developers into taking action. The good news is that it shouldn’t be difficult for most to cover their bases with respect to software liability. To get them started, here are four steps developers can take right now to guard against potential changes to software liability laws.
Build Security Checks Into Software Pipelines
The first thing to do to head off software liability concerns is to create security checkpoints throughout your development processes. This should begin with thorough code review and certification processes for all repurposed code. This is essential since most software developers now rely on reused open-source code or on self-created code libraries that speed up the development of new software. But as the recent Log4j security incident demonstrated, reused code can introduce vulnerabilities into new software that come back to haunt you. So, it’s a good idea to formalize a process whereby you can attest to the security of all reused code — both internally developed and otherwise — before it makes it into production software.
Then, it’s a good idea to make extensive use of source code security analyzers throughout the development process. This can make it more likely to identify security issues early on while they’re still relatively easy to fix. It can also serve as evidence of your efforts at secure code development, should questions arise after a finished product release.
Commit to 3rd-Party Pre-Release Code Security Audits
The next thing to do to guard against potential software liability concerns is to commit to having all software products go through a 3rd-party code security audit prior to release. This provides yet another opportunity to fix security flaws before they can cause liability issues. Plus, it guarantees that an expert, neutral set of eyes goes over your work before it ships. That can help to combat the kind of vulnerability blindness that often afflicts development teams who become accustomed to reviewing their own work. It can also reassure customers that no efforts were spared to put their security front and center in the development process.
Provide Adequate Customer Support
In recognition of the fact that no software is ever bulletproof, it’s a good idea to develop a plan to support customers in the event they’re affected by a security issue in one of your software products. For business customers, this might extend to providing direct and/or contracted technical support to aid recovery efforts after a security incident. Of course, you can only take such efforts so far due to the costs involved, but being there for an affected customer could head off any attempts to hold you liable.
For individual customers, it’s also smart to partner with an identity protection firm to have them ready to assist if your software suffers a security issue that might lead to identity theft. According to Hari Ravichandran, CEO of Aura, “Competent identity fraud prevention can be an inexpensive way to prevent users from suffering financial losses in the first place. It’s a great way to limit liability in the aftermath of a software or data breach.”
Purchase the Right Liability Insurance
Even if you go to great lengths to find and fix every bug and potential security flaw, it’s always possible for something to go overlooked. As a result, it’s a good idea to come up with a liability risk management plan that includes proper insurance coverage. This is essential because, although there aren’t any specific laws or regulations making software developers liable for losses stemming from the use of their products, general product liability laws can and do get applied to developers on occasion.
The good news is that the preceding secure code development practices should go a long way to proving good faith in any potential liability case. However, there’s no way to eliminate the risk of losses stemming from even a frivolous lawsuit. Therefore, to protect yourself, it’s a good idea to carry errors and omissions (E&O) insurance and a general product liability insurance policy at the very least.
The bottom line is that it’s just a good idea for software developers to get their code security ducks in a row now to prepare for any coming shifts in software liability law. Plus, they should develop plans to deal with the aftermath of a security event involving their software now. That way, whether there’s any change to the existing liability status quo or not, they’ll be ready to handle any potential outcome.
Opinions expressed by MaximusDevs contributors are their own.