<p dir="ltr">I can't think of a reason why a mom and pop would even know what certification would really mean to them. If they are handling credit card data, then they get something from a third party to handle it like PayPal, or Google and it never touches their system.</p>
<p dir="ltr">In the larger picture anything that provides lawyers something to bludgeon with is a bad idea to me. They screw up too much as it is - and get paid too much as well.</p>
<p dir="ltr">There is a difference between building a bridge and a website. </p>
<p dir="ltr">Any website can be compromised idiot developer or not. It's harder to blow up the bridge...</p>
<div class="gmail_quote">On Mar 6, 2013 6:27 PM, "JD" <<a href="mailto:jdp@algoloma.com">jdp@algoloma.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
See in-line ...<br>
<br>
On 03/06/2013 04:44 PM, Jim Kinney wrote:<br>
><br>
><br>
> On Wed, Mar 6, 2013 at 4:10 PM, Matt Hessel <<a href="mailto:matt.hessel@gmail.com">matt.hessel@gmail.com</a><br>
> <mailto:<a href="mailto:matt.hessel@gmail.com">matt.hessel@gmail.com</a>>> wrote:<br>
><br>
> I see the idea behind the certification, but in practice that seems mostly<br>
> useful to employers when hiring individuals with little on their resume.<br>
><br>
><br>
> It's not for employers. It's for lawyers and judges to use as a bludgeon to make<br>
> companies use good practices is coding for public consumption. If company FOO is<br>
> in software development, and they provide code for banking, they MUST have a<br>
> certified banking code engineer on staff and sign off on the code or else that<br>
> code is not legal to use for banking. Or they can pay a banking code engineering<br>
> firm to evaluate their code and sign off if it suits the engineers standards.<br>
<br>
Most banking code was written 20-40 yrs ago. You want them to review all that<br>
and certify it? They would rather pay the losses. It is a business decision,<br>
just like Ford decided to pay for all the exploding Pintos. Risk/analysis.<br>
<br>
> If mom-n-pop company hires a developer to put up a web site, they don't need a<br>
> certified engineer to approve anything UNTIL they add something like shopping<br>
> site with credit card stuff. If their website gets defaced because they hired an<br>
> idiot, that's their problem. If their website gets hacked and credit card data<br>
> is stolen, then it's a criminal offense on them for deploying code that was not<br>
> approved by a professional engineer. I see drop-in certified modules for various<br>
> platforms to do this.<br>
<br>
Very few online retailers write the code to handle credit cards. They buy a<br>
package or pay a service provider. The PCI standards are almost a joke. A<br>
friend works in that field handling many $$$millions through her code daily. To<br>
be PCI compliant, she was forced to make her system less secure than it was.<br>
I've heard similar complaints from others in the field. I want to laugh at the<br>
people saying that passing their PCI audit was tough. I don't know anything<br>
about this - never wrote any software like it.<br>
<br>
Following "industry standards" seems to be a get out of jail free answer. It<br>
doesn't matter that industry standards often are not all that good.<br>
<br>
> I can't build a bridge for public use until I am a certified, tested and passed<br>
> Professional Engineer. As a PE, it's MY name on the line for the stuff I sign<br>
> off on. So a PE won't approve crap. Is it a perfect system? Nope. But it keeps<br>
> slick talking idiots from building bridges and practicing law and medicine.<br>
<br>
If it is related to civil engineering, you are mostly correct.<br>
<br>
> A person who passes a PE exam doesn't need much else on their resume. It's not<br>
> possible to pass without mountains of knowledge and/or experience. There is<br>
<br>
I know a few PEs - considered it myself, but never worked in an area where that<br>
was useful. There are PE licenses for 3 areas of engineering. There are no PE<br>
licenses for nuclear engineers or aircraft engineers. Why is that? I suspect<br>
because there hasn't been a need.<br>
<br>
> already a Professional Software Engineer license process. What is needed is to<br>
> add HIPPA and Banking modules (or more generically - data security) and then<br>
> require that places that use software in these fields have X years to be using<br>
> certified, compliant software or they get shut down, fined out the ass or both<br>
> for repeated violations. "Market forces" can't fix this crap. It's like why we<br>
> all drive on the right hand side of the road. Someone decided we have to clean<br>
> up the mess and made it happen.<br>
<br>
Only the front page of the NYT will get the attention of an industry.<br>
I've been in meetings where the business representatives said it was too costly<br>
to do X. Then I pointed out all the negative press that was extremely likely if<br>
we didn't. This was a laptop patching discussion for systems that were almost<br>
never connected to the corporate network. The business people decided that NYT<br>
publicity was worse than the cost and recurring costs of patching the laptops.<br>
<br>
Only public shame will make these sorts of issues go away. No licensing will<br>
help unless the insurance companies demand the license before insuring a<br>
development company for errors and omissions - BTW, this insurance is required<br>
for many professional services companies. The E&O insurance that my company has<br>
does include a few mandates for IT. I'd find those clauses, but it is too hard<br>
right now. I think those were something like these:<br>
* Performing backups<br>
* running current AV software on all machines<br>
* Having a firewall<br>
* staying patched<br>
The bar was really low and vague enough for a lawyer to drive a moped toeing a 3<br>
story house through.<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>