Free From Defect Software License

Tuesday, November 22, 2011

Keith Mendoza


I have been writing open-source software on the side for quite some time now (see my github profile).

I've used both GPL and the Apache licenses for my work. The flip-flopping between the licenses is mainly caused by me feeling that a particular license meets my target audience.

The one item that bothers me--in fact all software licenses carry this--is the "no warranty" clause. I personally thing that it's high time that the software developers take on the challenge of providing a guarantee that their software will work as designed.

That all necessary due diligence have been done to make sure that the software does not contain bugs that could lead to loss of data or a security breach. Back in the days of card punches software was written once and basically worked.

As storage got cheaper, everyone got reckless and quality basically went down the drain as more development framework started providing the proverbial kitchen sinks.

I've began work on a JavaScript-based web application framework that I've called Flat8 and I'm going to take the moral high ground by licensing it in a way that basically says "I've done my best to test and secure the software that I'm writing. If a bug/defect is found, that I intend to fix it after so many days."

Why am I doing this? Because I feel that software developers are capable of doing this; so I'm going to be the first to do it and I hope that others will follow. If I actually pull it off, I hope that others will see that it indeed can be done; if I fail, then I hope that others will learn from my mistake.

This is a question that I would like to pose to the open-source software community in general: Assuming that we can ignore the lawyers for a second, what amount of effort would you be willing to put to produce software that is free of defect from workmanship? How will you go about making sure that your software is indeed free from defect?

Here is my list that I came up with:

  • A clear list of requirements will be produced, documented, and agreed on. Any assumptions taken will be documented.
  • Thorough development documentation will be produced. Basically the architecture, detailed design, testing, and source code documentation will be produced.
  • Complete operating manual will be produced.
  • Software is thoroughly tested to make sure that all requirements and assumptions are tested; and the results are published to provide a benchmark for proper operation.
  • Secure coding standards will be adhered to, and source code will go through code scan to make sure that the code is as clean as possible.
  • SCM practices will be followed.

These are conditions that I would put in place to keep the software under warrantee:

  • Software is not used in a way outside of the given requirements.
  • User followed all user documentation and have referenced the test result to confirm that their input fall within the published parameters.
  • The provided unit and functional tests actually passed on the platform where the software is running.

I would like to hear your thoughts on this. What would you add/remove from the list? I strongly believe that if the software industry as a whole takes on a "we'll stand by our software" attitude that information security issues will go down significantly.

At the end of the day everything from the BIOS, to the kernel, to the services, are all software.

Cross-posted from Home+Power

Possibly Related Articles:
Software Javascript Open Source Due Diligence Development Secure Coding Software Security Assurance
Post Rating I Like this!
Brian Blank Warranty stipulates that you stand behind your work. Not just morally or ethically, but financially. If your system craps out and causes a company to lose a million bucks, guess who could be held financially liable. I hope you have a good insurance policy.
Gabriel Bassett This basically sounds like intent to include an open ended maintenance contract with the software. While I think it's a nice gesture, I think it's impractical to assume you will have the resources to maintain the software in perpetuity.

Also, there seems to be an implied assumption that the software should provide all the security. Software will never be perfect because people are imperfect. As such it’s better to design a security profile (whether it is personal, private, corporate, or government) around a combination of things: operational security, engineering security (as you suggest), intel, and management of users. Dropping the security burden all on the software is simply unfair and unrealistic.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.