Opinion: If practice makes perfect, does imperfect make malpractice?
When I got the invitation to keynote this months Software Security Summit in San Diego, I proposed "Mediocrity Is Malpractice" as a title for my remarks.
I was thinking of this as a general statement about rising expectations. As it got to be time to prepare the talk, however, I realized that I should take it as literally true and explore the implications of developers being viewed as (mal)practitioners.
Its not original to talk about developers possibly being regulated by the professional engineer certification system thats administered by various state agencies.
Im not certain that such developer certification is a good idea; Im definitely not expecting it any time soon.
With or without such formalities, though, I suggest that developers meet key tests of being a "professional": specialized skills that many people cant realistically hope to acquire, a specialized vocabulary thats not accessible to the untrained and the kind of work that can be competently judged only by a professional peer.
You dont need to speak of malpractice in a field such as plumbing, because a layman knows a leaky pipe when he sees onebut it takes a top-flight coder to go through a nontrivial program and quickly spot the kind of flaw thats potentially dangerous.
Its therefore necessary for developers to be a self-scrutinizing communityone that can say with credibility not only when something wrong has been done but also when due care has not been taken.
Acts of omission matter. Malpractice is not limited only to fraud, deceit or other acts of commission, but it also includes culpable failure to know or to do.
The classic example is a lawyer who fails to file suit before a statute of limitations deadline has expired: The client cant be expected to bird-dog his attorney on such matters.
Crucially, theres also ample precedent for the idea that failure to know and comply with applicable laws and regulations is, by definition, a negligent act of omission.
Faced with a growing number of laws and regulations affecting software development and use, software practitioners must therefore work that much harder to avoid such errors.
When law meets up with technology, one of the most important sparks that fly from that collision is the idea of strict liability. Say you rent a car from a discount used-car outlet and one of the cars tires is conspicuously flat when you pick up the vehicle.
You drive it anyway and have a blowout that leads to an accident. The rental agency can then claim your knowing assumption of risk, plus contributory negligence, and thereby reduce its exposure.
In contrast, if I rent you a rocket ship, and it crashes on a city, I cant reasonably claim that you should have magnafluxed the turbine rotors before you took offor even that you should have known better than to fly it over an inhabited area.
Rockets are a relatively obscure and inherently dangerous technology, and the system works best if those who introduce that technology into the community are held strictly liable for the consequences.
Software is still a lot closer to rocket science than it is to Rent-A-Wreckand the model of software as a service involves more software developers becoming providers to clients who dont know and cant be presumed to understand the inherent risks of what theyre getting into.
For example, while planning my drive to the Software Security Summit, I looked up the destination on Google Maps and found a diagonal band of blank squares across the middle of the map.
Two days later, those blanks had been filled inbut imagine some automated system that relied on that service, suddenly finding itself in terra incognita. Its a good reason to call something "beta," dont you think?
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
And when you think of yourself as a possible target of a lawsuit for malpractice, you dont leave comments in source code that say things such as "Dont even look at the mess below"an actual example from a gallery of comments that Ive seen and the kind of thing that you wouldnt want a plaintiffs attorney to find.
Professionalism doesnt mean just doing your best; it means knowing and being prepared for how good others expect you to be.
Peter Coffee can be reached at firstname.lastname@example.org.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.