It is very topical. Currently anyone can declare himself a software developer. That largely explains the number of sql injection vulnerabilities, unencrypted sensitive data, unintuitive software UI, unpatched servers, cross site scripting vulnerabilities, and other moronic software design decisions.
For many years there was a sense that what is electronic doesn't matter. That breaking into someone's computer is at best a game while breaking into someone's home is a crime. That hacking and disrupting a power plant is an annoyance while bombing it is an act of war.
But I think it is changing. Non-technical people now realise that software is massively important in our society, and the alarming pace of data breaches is giving a bad reputation to the industry. I think a system of licenses for developers is inevitable.
This scares the hell out of me. The idea that an organization/government will require programmers to get licenses. I would have never gotten into coding if I hadn't had the freedom to play around with code when I was younger. Reminds me of RMS's, "The Right to Read": debuggers are illegal to use unless you're a licensed programmer. Say what you want about RMS, but you have to admit he's pretty prophetic at times. He predicted the implications of DRM in the mid '90s.
Philip K. Dick was also pretty oracle-like in this regard: "There will come a time when it isn't 'They're spying on me through my phone' anymore. Eventually, it will be 'My phone is spying on me'." He damn near predicted the advent of smartphones+CIQ in the '70s. I imagine he came up with that notion after writing A Scanner Darkly.
Calling yourself a developer is pretty humble, today we have self taught people like me calling themselves engineers and architects. Unlike an actual engineer or architect who will face some kinds of consequences for failure, our current system is too easy on those who build and ship defects.
The closest I saw in my professional career to fixing this problem was at a shop which implemented ISO9000/TL9000 processes in such a way that anyone who signed off to approve a defect would have his career ruined. It seemed to work well for us.
Now that computers and electronics are directing and controlling processes and operations that have a potential to cause damage to life, property and economics, I think that at least certain areas of these "engineering" fields should require proof of competency before practice. We are drowning in stories about all kinds of defects from information leaks to process failures, and very few of the responsible parties have faced any consequences at all.
The idea that licenses would solve that is naive at best and dangerous at worse
I've known people with CS degrees and half of them would throw you a blank stare at those words
> unintuitive software UI
Most licensed engineers are guilty of this
So make sure only those who have a magical paper and studied at fancy schools (where they probably will learn PHP, the basics of sql injection - oh wait, there are new vulnerabilities, but I don't have to worry about these because I didn't learn about them in school) can work on computing, I'm sure quality will shoot right up /s
Well, how was it solved in other industries? Licenses and norms. In the construction industry you can't just build a house. You have a pile of norms and regulations you have to comply with. Today anyone can open a website and start taking passwords.
I'm not looking forward that but do you have a better solution? The way the industry currently works is unsustainable. And I am not even talking about privacy invasion.
Because if you build or design the smallest house improperly, it could collapse and kill people. If you build a crappy WordPress site nothing of similar consequence will happen.
Not sure about other parts of the world, but here in BC we do have licensed Software Engineers for these purposes. Most software developers aren't licensed though.
> Currently anyone can declare himself a software developer
And that's great.
> That largely explains the number of sql injection vulnerabilities, unencrypted sensitive data, unintuitive software UI, unpatched servers, cross site scripting vulnerabilities, and other moronic software design decisions.
No, what explains that is market variety. You want a $200 Facebook clone, you get what you paid for. You want a well built iPhone app for $30000, you'll get what you paid for, probably. No regulations can protect clients from their moronic hiring decisions.
You want a well built iPhone app for $30000, you'll get what you paid for, probably.
Yeah, probably. That's not nearly good enough. Not even close. There's an enormous list of extraordinarily expensive failures in the software industry. If I pay an actual professional a serious amount of money to do something for me, and it turns out they did a truly awful job (which is pretty common in the software industry), I expect to be able to claim recompense from their professional insurer and/or their professional licencing body. That's part of why I pay so much; the reassurance. Knowing I can rely on it.
Software, of course, has no such professional body, and exists in a twilight world of chancers and incompetents. Why should the software industry get away with knowingly producing crap and charging a fortune for it?
I'd be happy with a two tier approach; at the moment, if I want a wall built, I can pay a professional (with the expectations and protections that comes with the high price) or hire a day-labourer I met in the pub. There is no such choice in software.
> Software, of course, has no such professional body, and exists in a twilight world of chancers and incompetents. Why should the software industry get away with knowingly producing crap and charging a fortune for it?
This is not really correct. If you are hiring a development firm or an independent contractor, you stipulate in your contract that the company or developer must carry some form of errors and omissions insurance. I've never seen a contract that did not have this line item. Any reputable company or independent contractor will already carry this regardless. If they do not, avoid hiring them.
We have such a two tier approach here in BC with licensed Software Engineers. That's fine by me as long as my own work is not regulated.
But there are only ~200 licensed software engineers in BC, so as far as the general market for software development services is concerned, they are irrelevant outside of niche applications where lives are at stake.
It doesn't cost anything to not design a sql injection in the first place, or to add a function to encrypt data. The problem is not cost, it is incompetence.
While I might agree that the tooling for writing injection-free SQL has improved over the years, certainly back in the day you did have to think about edge cases and be mindful that you weren't allowing anything through. That comes at a cost.
Likewise, especially when it comes to encryption, many schemes have been broken over the years by someone just "adding a function". Actually understanding the vectors one might try to attack what you are doing, again, adds cost.
Finally, as cost is directly proportional to the supply and demand, competent people are generally going to be found in lower supply and in greater demand. Even if you discount the above, competent people are naturally going to cost more.
I would agree if we were talking about much more advanced technologies (like multi-threading or high performance code). But using cryptographic functions or parameterised queries are pretty basic skills. You don't expect every electrician to be able to fix a motherboard but you expect any electrician to know "domestic electrical installation 101".
You might be able to say that now, after much publicization and improved tooling. PHP/mysql comes to mind as not even supporting parameterized queries up to somewhat recent history. Ensuring your queries were safe was entirely up to you. A lot of those old code bases still exist and are being exploited, but what evidence is there that people are still writing brand new projects that way?
That said, even in recent times I've run into edge cases that were not covered by parameterization, still leaving me to ensure the query is sane. It takes care to make sure you get it right. Maybe if you're just shuffling basic user input into a database you can make that claim, but not all tasks are so simple.
> You don't expect every electrician to be able to fix a motherboard but you expect any electrician to know "domestic electrical installation 101".
If you are writing web software you probably should know SQL and all of its shortcomings, but I wouldn't expect all programmers to know SQL, even at a basic level. There are countless programming tasks that will never have anything to do with relational databases.
In my country certain electronics engineering jobs require a license. The licensing system and the exams are a joke, they don't test for engineering ability at all, more like trivia and formula-memorization tests.
Fortunately, only a small subset of jobs (radio and TV operations) require it, and the best graduates don't want to work those jobs anyway. Most engineering companies ignore it if it isn't legally required for the position. They instead look at where the applicant got their degree and relevant experience.
A large part of the problem I think is that screening thousands of engineering grads properly for engineering competence would be prohibitively expensive and time-consuming for the government, and no one wants to admit the system is broken.
I suspect any government initiative to regulate software development is going to run into similar problems. I wonder how the medical and legal industries do it.
>I wonder how the medical and legal industries do it.
Do they actually do it with any success? According to this article: http://www.forbes.com/sites/leahbinder/2013/09/23/stunning-n..., medical errors represent the third leading cause of death in the United States. Medical licensing makes it hard to enter the industry, but it doesn't seem to do much good of forcing dangerously incompetent practitioners out of the industry.
As many high payin regulated jobs, thise inside have connections which let them 'recommend' and 'ease' the entrance of close, selcted friend/family in the field.
Then you get dynasties and as much as we pretend regulation to be meaningful when they rot in such way the licenses just become 'favor money' and the whole category starts smelling
Legal licensing does not keep incompetent practitioners from entering the industry, at least in the U.S. This is cultural - there is still an expectation that after you get your license, other lawyers will train you.
For many years there was a sense that what is electronic doesn't matter. That breaking into someone's computer is at best a game while breaking into someone's home is a crime. That hacking and disrupting a power plant is an annoyance while bombing it is an act of war.
But I think it is changing. Non-technical people now realise that software is massively important in our society, and the alarming pace of data breaches is giving a bad reputation to the industry. I think a system of licenses for developers is inevitable.