It's so much worse in the industry, the truth is that many people literally have no idea how to secure things, what to secure, why to secure it - they pay no attention and are plainly ignorant of the state of the world and oftentimes just stupid.

I worked at a company where a customer called confused because when they googled our company as they did every day to login to their portal they found that drivers licenses we stored were available on the public internet.

The devs literally didn't know about direct object access and thought obfuscation was enough, didn't know about how robots.txt worked, didn't know about google webmaster shit, didn't know about sitemaps, they were just the cheapest labor the company could find who could do the thing.

This is a huge portion of outsourced labor in my experience, not because they are worse overseas in any respect, but because the people looking for cheap labor were always looking for the cheapest labor and had no idea how that applied to the actual technical work of running their business.

▲

jval43 2 days ago | parent [-]

>they were just the cheapest labor the company could find who could do the thing.

Thats the problem right there. The company doesn't care. No amount of personal certifications is going to fix that.

It MUST be on the companies. They should be fined out of existence for such breaches and they would quickly change tune.

▲

ChrisMarshallNY 2 days ago | parent [-]

> They should be fined out of existence for such breaches and they would quickly change tune.

Looks like this is a great opportunity for an object lesson. Let’s see how it goes…

As far as certification stuff…

Civil engineering has had licensing forever. That’s because Bad Things Happen, when they make mistakes.

I do think that it would be a good idea to score/certify critical infrastructure stuff. That might involve certification of the people that make it, but it should certainly involve penalties for the people responsible. That might include the authors, but it should probably also include the folks that decide to use the bad code.

I know that ISO 9000 is an attempt to address this kind of thing. In my opinion, it’s kind of a mess. I’ve worked in ISO 9000 shops, and it’s not much fun. The thing you learn, pretty quickly, is how to end-run the process, as it’s so heavy, that it basically stops all forward progress. It doesn’t have to, but often does.

Mistakes get made. If you design carefully, these mistakes won’t cause real damage.

I just figured out that an app I wrote, that’s been out for two years, has an embarrassing bug (mea culpa). I’ll get it fixed today.

Because I’m pretty careful, it doesn’t affect stuff like user privacy. It just introduces performance overhead, in one operation, so the fix will mean that the app will suddenly speed up.

I’m not sure that certification would have solved it. My security mindset is why user privacy wasn’t affected, and that comes from experience.

> Good judgment comes from experience. Experience comes from bad judgement.

▲

Orygin 2 days ago | parent [-]

Also if you are personally liable of gross negligence, you will:

1. Get paid more (as less fake "engineers" are available for the responsibility).

2. Push back harder (or at least document in detail) on malpractice during development. Manager did not listen to your warnings? Document it and when shit hits the fan, the manager gets the stick instead of you.

Hitting companies with monetary fines does not work. Hitting the employees with jail time will make sure they don't sign on dangerous or known problematic systems.

Manager not listening? Remind them they will face a trial if the issue does surface.

▲

ailef 2 days ago | parent [-]

> Hitting companies with monetary fines does not work. Hitting the employees with jail time will make sure they don't sign on dangerous or known problematic systems.

What!? So, when you can't switch jobs because the market is bad or for any other reason, your choices are: 1) quit and lose the income (which you can't afford) or 2) sign on whatever and accept the risk of jail time?

	▲	Orygin a day ago \| parent \| next [-]
		The job market in such society would not be the same as it is now. If you are certified, chances are you will have lots of choices to work.
	▲	ChrisMarshallNY a day ago \| parent \| prev [-]
		Sounds like every other vocation out there. Software devs have been insanely privileged, for the last couple of decades. That seems to be changing.