[ale] a quick test of web site stupid
Matt Hessel
matt.hessel at gmail.com
Wed Mar 6 18:51:02 EST 2013
I can't think of a reason why a mom and pop would even know what
certification would really mean to them. If they are handling credit card
data, then they get something from a third party to handle it like PayPal,
or Google and it never touches their system.
In the larger picture anything that provides lawyers something to bludgeon
with is a bad idea to me. They screw up too much as it is - and get paid
too much as well.
There is a difference between building a bridge and a website.
Any website can be compromised idiot developer or not. It's harder to blow
up the bridge...
On Mar 6, 2013 6:27 PM, "JD" <jdp at algoloma.com> wrote:
> See in-line ...
>
> On 03/06/2013 04:44 PM, Jim Kinney wrote:
> >
> >
> > On Wed, Mar 6, 2013 at 4:10 PM, Matt Hessel <matt.hessel at gmail.com
> > <mailto:matt.hessel at gmail.com>> wrote:
> >
> > I see the idea behind the certification, but in practice that seems
> mostly
> > useful to employers when hiring individuals with little on their
> resume.
> >
> >
> > It's not for employers. It's for lawyers and judges to use as a bludgeon
> to make
> > companies use good practices is coding for public consumption. If
> company FOO is
> > in software development, and they provide code for banking, they MUST
> have a
> > certified banking code engineer on staff and sign off on the code or
> else that
> > code is not legal to use for banking. Or they can pay a banking code
> engineering
> > firm to evaluate their code and sign off if it suits the engineers
> standards.
>
> Most banking code was written 20-40 yrs ago. You want them to review all
> that
> and certify it? They would rather pay the losses. It is a business
> decision,
> just like Ford decided to pay for all the exploding Pintos. Risk/analysis.
>
> > If mom-n-pop company hires a developer to put up a web site, they don't
> need a
> > certified engineer to approve anything UNTIL they add something like
> shopping
> > site with credit card stuff. If their website gets defaced because they
> hired an
> > idiot, that's their problem. If their website gets hacked and credit
> card data
> > is stolen, then it's a criminal offense on them for deploying code that
> was not
> > approved by a professional engineer. I see drop-in certified modules for
> various
> > platforms to do this.
>
> Very few online retailers write the code to handle credit cards. They buy a
> package or pay a service provider. The PCI standards are almost a joke. A
> friend works in that field handling many $$$millions through her code
> daily. To
> be PCI compliant, she was forced to make her system less secure than it
> was.
> I've heard similar complaints from others in the field. I want to laugh at
> the
> people saying that passing their PCI audit was tough. I don't know anything
> about this - never wrote any software like it.
>
> Following "industry standards" seems to be a get out of jail free answer.
> It
> doesn't matter that industry standards often are not all that good.
>
> > I can't build a bridge for public use until I am a certified, tested and
> passed
> > Professional Engineer. As a PE, it's MY name on the line for the stuff I
> sign
> > off on. So a PE won't approve crap. Is it a perfect system? Nope. But it
> keeps
> > slick talking idiots from building bridges and practicing law and
> medicine.
>
> If it is related to civil engineering, you are mostly correct.
>
> > A person who passes a PE exam doesn't need much else on their resume.
> It's not
> > possible to pass without mountains of knowledge and/or experience. There
> is
>
> I know a few PEs - considered it myself, but never worked in an area where
> that
> was useful. There are PE licenses for 3 areas of engineering. There are
> no PE
> licenses for nuclear engineers or aircraft engineers. Why is that? I
> suspect
> because there hasn't been a need.
>
> > already a Professional Software Engineer license process. What is needed
> is to
> > add HIPPA and Banking modules (or more generically - data security) and
> then
> > require that places that use software in these fields have X years to be
> using
> > certified, compliant software or they get shut down, fined out the ass
> or both
> > for repeated violations. "Market forces" can't fix this crap. It's like
> why we
> > all drive on the right hand side of the road. Someone decided we have to
> clean
> > up the mess and made it happen.
>
> Only the front page of the NYT will get the attention of an industry.
> I've been in meetings where the business representatives said it was too
> costly
> to do X. Then I pointed out all the negative press that was extremely
> likely if
> we didn't. This was a laptop patching discussion for systems that were
> almost
> never connected to the corporate network. The business people decided
> that NYT
> publicity was worse than the cost and recurring costs of patching the
> laptops.
>
> Only public shame will make these sorts of issues go away. No licensing
> will
> help unless the insurance companies demand the license before insuring a
> development company for errors and omissions - BTW, this insurance is
> required
> for many professional services companies. The E&O insurance that my
> company has
> does include a few mandates for IT. I'd find those clauses, but it is too
> hard
> right now. I think those were something like these:
> * Performing backups
> * running current AV software on all machines
> * Having a firewall
> * staying patched
> The bar was really low and vague enough for a lawyer to drive a moped
> toeing a 3
> story house through.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130306/3908b98c/attachment.html>
More information about the Ale
mailing list