While auditing a few web apps and websites I uncovered a few serious vulnerabilities which I've since flagged (responsibly, of course). One of the things I noticed was that several development companies had worked on parts of this application and that got me thinking. In the event of a security breach or data leak, who's ultimately responsible for that? I'm UK based so I'm going to refer to UK law here but I'm sure the same could apply in your region.
I'm not talking about cases where dev studios have contracts that absolve them from any vulnerabilities but more in cases where no contract is in place between the developer(s) and the business. For example, one particular application was vulnerable to SQL injection and was worked on by a very junior developer. It's a public facing app, so loads of juicy customer data was stored in the database.
If the database was breached and private customer data exposed, this would constitute a breach of the Data Protection Act 1998. Who's ultimately responsible for that breach? The business as they're the one providing the service? The developer as they're the one that introduced the flaw that allowed access (knowingly or otherwise)? The third party dev company for providing the work? While the business should be ultimately responsible in my opinion for the safety of the customer data, it could be argued that somebody broke the Computer Misuse Act 1990 by introducing a vulnerability knowingly or unknowingly allowing the application to become compromised. My question is it only the business that'd be in the firing line, or would the developers be too?
Also attribution must be considered. If a senior dev picks up the script above, makes changes and doesn't do due diligence to check for vulnerabilities, does that make them now responsible rather than the original developer, or are they both now in the firing line.
Just to clarify - I'm not looking for hard legal advice here, but it's worth asking the question of responsibility.
Aucun commentaire:
Enregistrer un commentaire