Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
seemaze 2 days ago

>Wouldn't change a thing..

That's exactly what certification or licensure does; it imposes financial, civil, and criminal penalties for malpractice.

The liability of incurring penalties quickly outweigh the benefit of arbitraging costs with an unqualified practitioner.

hurflmurfl 2 days ago | parent [-]

I think just putting it on the companies is enough. If the fines are serious and can put your company out of business, and are enforced, then the companies themselves will probably work out processes for not doing stupid stuff. Whether that be creating some sort of certifications that would be prized by the companies, knowing to hire a specialized team for a security review, or anything else.

If everyone knows that messing up security gets you in real trouble and the company loses real money, and it happens all the time, and it's not just "Facebook fined $x million for doing shady stuff", then I think the industry will adapt.

Like when GDPR got released and no matter if I thought we are or are not handling PII, I had to read up and double-check my assumptions just because it was being talked about all over the place and it would be embarrassing to be caught with your pants down when you didn't actually intend to do a shady thing.

Orygin 2 days ago | parent [-]

> I think just putting it on the companies is enough. If the fines are serious and can put your company out of business

They don't care. It's either never enough to make them care, or the company can just bankrupt and you go do something else.

If you or your manager has the threat of jail in the back of their mind, it's no longer just someone else's money being lost, it's personal.

> If everyone knows that messing up security gets you in real trouble and the company loses real money

There's already huge fines on paper for this, but never ever are the fines enough. It's always factored in the "cost of doing business". Also it's still someone else's money, why would an engineer care?

Please show me a GDPR fine that hit hard enough to scare companies into not fucking up? Evidently here it was not enough for Fiverr.

Edit: Just to provide an example, Takata airbags have been recalled massively (if you don't know why, look it up) but the company is now bankrupted and who is footing the bill? Their customers.

You cannot impose a fine on them, as it's bankrupt (now, but it was always the plan). They deliberately sold dangerous airbags and now what can you do so it doesn't happen again? Fine them some more? or maybe throw a few execs in jail because they knew of the problem and continued as usual.