[ale] a quick test of web site stupid

[JD]

See in-line ...

On 03/06/2013 04:44 PM, Jim Kinney wrote:
> 
> 
> On Wed, Mar 6, 2013 at 4:10 PM, Matt Hessel <matt.hessel at gmail.com
> <mailto:matt.hessel at gmail.com>> wrote:
> 
>     I see the idea behind the certification, but in practice that seems mostly
>     useful to employers when hiring individuals with little on their resume.
> 
> 
> It's not for employers. It's for lawyers and judges to use as a bludgeon to make
> companies use good practices is coding for public consumption. If company FOO is
> in software development, and they provide code for banking, they MUST have a
> certified banking code engineer on staff and sign off on the code or else that
> code is not legal to use for banking. Or they can pay a banking code engineering
> firm to evaluate their code and sign off if it suits the engineers standards.

Most banking code was written 20-40 yrs ago. You want them to review all that
and certify it?  They would rather pay the losses. It is a business decision,
just like Ford decided to pay for all the exploding Pintos.  Risk/analysis.

> If mom-n-pop company hires a developer to put up a web site, they don't need a
> certified engineer to approve anything UNTIL they add something like shopping
> site with credit card stuff. If their website gets defaced because they hired an
> idiot, that's their problem. If their website gets hacked and credit card data
> is stolen, then it's a criminal offense on them for deploying code that was not
> approved by a professional engineer. I see drop-in certified modules for various
> platforms to do this.

Very few online retailers write the code to handle credit cards. They buy a
package or pay a service provider.  The PCI standards are almost a joke. A
friend works in that field handling many $$$millions through her code daily. To
be PCI compliant, she was forced to make her system less secure than it was.
I've heard similar complaints from others in the field. I want to laugh at the
people saying that passing their PCI audit was tough. I don't know anything
about this - never wrote any software like it.

Following "industry standards" seems to be a get out of jail free answer. It
doesn't matter that industry standards often are not all that good.

> I can't build a bridge for public use until I am a certified, tested and passed
> Professional Engineer. As a PE, it's MY name on the line for the stuff I sign
> off on. So a PE won't approve crap. Is it a perfect system? Nope. But it keeps
> slick talking idiots from building bridges and practicing law and medicine.

If it is related to civil engineering, you are mostly correct.

> A person who passes a PE exam doesn't need much else on their resume. It's not
> possible to pass without mountains of knowledge and/or experience. There is

I know a few PEs - considered it myself, but never worked in an area where that
was useful.  There are PE licenses for 3 areas of engineering. There are no PE
licenses for nuclear engineers or aircraft engineers.  Why is that?  I suspect
because there hasn't been a need.

> already a Professional Software Engineer license process. What is needed is to
> add HIPPA and Banking modules (or more generically - data security) and then
> require that places that use software in these fields have X years to be using
> certified, compliant software or they get shut down, fined out the ass or both
> for repeated violations. "Market forces" can't fix this crap. It's like why we
> all drive on the right hand side of the road. Someone decided we have to clean
> up the mess and made it happen.

Only the front page of the NYT will get the attention of an industry.
I've been in meetings where the business representatives said it was too costly
to do X.  Then I pointed out all the negative press that was extremely likely if
we didn't.  This was a laptop patching discussion for systems that were almost
never connected to the corporate network.  The business people decided that NYT
publicity was worse than the cost and recurring costs of patching the laptops.

Only public shame will make these sorts of issues go away. No licensing will
help unless the insurance companies demand the license before insuring a
development company for errors and omissions - BTW, this insurance is required
for many professional services companies.  The E&O insurance that my company has
does include a few mandates for IT.  I'd find those clauses, but it is too hard
right now.  I think those were something like these:
* Performing backups
* running current AV software on all machines
* Having a firewall
* staying patched
The bar was really low and vague enough for a lawyer to drive a moped toeing a 3
story house through.