[ale] a quick test of web site stupid

John Pilman jcpilman at gmail.com
Wed Mar 6 21:25:01 EST 2013 

I am a Registered PE, and most of the observations I have read here about
PEs is on the right track.  I also agree with the sentiment that certified
software providers could ease some of the pain we are dealing with these
days.  The big difference, as I see it, is software providers have to
compete on a global basis.  Engineering registration is done state by
state.  If I want to build a bridge in Georgia, I only have to low bid
every other PE in the state.  I'd like to see software receive better
vetting, but I don't know how that can be enforced with the world wide set
of providers we have, most who do not have to answer to Georgia state laws.

...John



On Wed, Mar 6, 2013 at 6:51 PM, Matt Hessel <matt.hessel at gmail.com> wrote:

> I can't think of a reason why a mom and pop would even know what
> certification would really mean to them.  If they are handling credit card
> data, then they get something from a third party to handle it like PayPal,
> or Google and it never touches their system.
>
> In the larger picture anything that provides lawyers something to bludgeon
> with is a bad idea to me.  They screw up too much as it is - and get paid
> too much as well.
>
> There is a difference between building a bridge and a website.
>
> Any website can be compromised idiot developer or not.  It's harder to
> blow up the bridge...
> On Mar 6, 2013 6:27 PM, "JD" <jdp at algoloma.com> wrote:
>
>> See in-line ...
>>
>> On 03/06/2013 04:44 PM, Jim Kinney wrote:
>> >
>> >
>> > On Wed, Mar 6, 2013 at 4:10 PM, Matt Hessel <matt.hessel at gmail.com
>> > <mailto:matt.hessel at gmail.com>> wrote:
>> >
>> >     I see the idea behind the certification, but in practice that seems
>> mostly
>> >     useful to employers when hiring individuals with little on their
>> resume.
>> >
>> >
>> > It's not for employers. It's for lawyers and judges to use as a
>> bludgeon to make
>> > companies use good practices is coding for public consumption. If
>> company FOO is
>> > in software development, and they provide code for banking, they MUST
>> have a
>> > certified banking code engineer on staff and sign off on the code or
>> else that
>> > code is not legal to use for banking. Or they can pay a banking code
>> engineering
>> > firm to evaluate their code and sign off if it suits the engineers
>> standards.
>>
>> Most banking code was written 20-40 yrs ago. You want them to review all
>> that
>> and certify it?  They would rather pay the losses. It is a business
>> decision,
>> just like Ford decided to pay for all the exploding Pintos.
>>  Risk/analysis.
>>
>> > If mom-n-pop company hires a developer to put up a web site, they don't
>> need a
>> > certified engineer to approve anything UNTIL they add something like
>> shopping
>> > site with credit card stuff. If their website gets defaced because they
>> hired an
>> > idiot, that's their problem. If their website gets hacked and credit
>> card data
>> > is stolen, then it's a criminal offense on them for deploying code that
>> was not
>> > approved by a professional engineer. I see drop-in certified modules
>> for various
>> > platforms to do this.
>>
>> Very few online retailers write the code to handle credit cards. They buy
>> a
>> package or pay a service provider.  The PCI standards are almost a joke. A
>> friend works in that field handling many $$$millions through her code
>> daily. To
>> be PCI compliant, she was forced to make her system less secure than it
>> was.
>> I've heard similar complaints from others in the field. I want to laugh
>> at the
>> people saying that passing their PCI audit was tough. I don't know
>> anything
>> about this - never wrote any software like it.
>>
>> Following "industry standards" seems to be a get out of jail free answer.
>> It
>> doesn't matter that industry standards often are not all that good.
>>
>> > I can't build a bridge for public use until I am a certified, tested
>> and passed
>> > Professional Engineer. As a PE, it's MY name on the line for the stuff
>> I sign
>> > off on. So a PE won't approve crap. Is it a perfect system? Nope. But
>> it keeps
>> > slick talking idiots from building bridges and practicing law and
>> medicine.
>>
>> If it is related to civil engineering, you are mostly correct.
>>
>> > A person who passes a PE exam doesn't need much else on their resume.
>> It's not
>> > possible to pass without mountains of knowledge and/or experience.
>> There is
>>
>> I know a few PEs - considered it myself, but never worked in an area
>> where that
>> was useful.  There are PE licenses for 3 areas of engineering. There are
>> no PE
>> licenses for nuclear engineers or aircraft engineers.  Why is that?  I
>> suspect
>> because there hasn't been a need.
>>
>> > already a Professional Software Engineer license process. What is
>> needed is to
>> > add HIPPA and Banking modules (or more generically - data security) and
>> then
>> > require that places that use software in these fields have X years to
>> be using
>> > certified, compliant software or they get shut down, fined out the ass
>> or both
>> > for repeated violations. "Market forces" can't fix this crap. It's like
>> why we
>> > all drive on the right hand side of the road. Someone decided we have
>> to clean
>> > up the mess and made it happen.
>>
>> Only the front page of the NYT will get the attention of an industry.
>> I've been in meetings where the business representatives said it was too
>> costly
>> to do X.  Then I pointed out all the negative press that was extremely
>> likely if
>> we didn't.  This was a laptop patching discussion for systems that were
>> almost
>> never connected to the corporate network.  The business people decided
>> that NYT
>> publicity was worse than the cost and recurring costs of patching the
>> laptops.
>>
>> Only public shame will make these sorts of issues go away. No licensing
>> will
>> help unless the insurance companies demand the license before insuring a
>> development company for errors and omissions - BTW, this insurance is
>> required
>> for many professional services companies.  The E&O insurance that my
>> company has
>> does include a few mandates for IT.  I'd find those clauses, but it is
>> too hard
>> right now.  I think those were something like these:
>> * Performing backups
>> * running current AV software on all machines
>> * Having a firewall
>> * staying patched
>> The bar was really low and vague enough for a lawyer to drive a moped
>> toeing a 3
>> story house through.
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130306/a325ea81/attachment.html>

More information about the Ale mailing list