Thursday, September 21, 2017

Software Enginerr

The Equifax news has been top of many a mind for a while now. Upwards of 143 million have had their personal information compromised. To put that in context there are 126 million households in the US (88%), 11 million illegal aliens (7.7%) and 800 thousand "dreamers" (0.6%), so all things being proportional one would expect enormous outcry from the "Financial Lives Matter" activists. There are calls for criminal charges for executives, based on what is not clear but perhaps SEC violations, and everyone is settling into the calm after the storm assuming nothing will happen, nothing will change. And that is probably the case. Maybe Financial Lives Don't Matter. Maybe that is because the only folks with the time to whine and complain and march about What Matters don't have a job and don't have a financial life.

In the early days Equifax pointed their fickle finger of blame squarely at the Apache Project and the Struts framework in particular upon which that particular group of FOSS-ers broke it off by pointing out how many months ago they had released a security update. Even luddites know you install a security update the very minute it is available, after all the black hats get the word at the same time as the white hats.

So what happened at Equifax? Are they institutionally incompetent? Maybe. Are they culturally steeped in an NIH syndrome and only reluctantly use any FOSS and consequently have great disdain at being told, from the Open Source community, you better do this and do it now? Maybe. Are they soaking up the rays in the Last Millennium Lounge and just haven't a clue how you work with FOSS and how that affects your development and operational processes? Clearly.

So what can we, inside and outside the industry, do to turn down the incompetence? Some have suggested we try what we do in other domains and require that systems with significant potential for public harm should they fail be designed, deployed and operated under the close supervision and sometimes direct effort of licensed professionals. Maybe it is time to enforce our laws. You see, to call yourself a lawyer, to practice law you need a license. Same for a medical doctor. Same for a structural, mechanical, electrical or aerospace engineer. And think about it. Would you want the bridge your child drives over to be designed by some off-shore company whose employee have whatever education and degree from a school no one has ever heard of and may be as ephemeral as Trump Academy? Well that's what happens with software. But this practice is not going away and fact of the matter is the underlying FOSS is globally developed largely by folks with no affiliation to anything other than being a good programmer. Not bad in and of itself and this simply points out the real problem--it is not the professionalism of the programmers it is the professionalism of those in Equifax who selected the components, built the system, deployed it, and then neglected to maintain it.

Maybe it is time to license Software Engineers just like any other Engineer and to quit calling anybody who can drive vi a Software Engineer and prosecute companies that call them that. After all, those companies are breaking the law. And Equifax is one such company.

You think these jobs require a PE? Nope. Why not? Because the State of Georgia doesn't license Software Engineers, nor do they enforce their prohibition on calling yourself an Engineer when you are not licensed. That might be bad for bidness. They do license lots of folks but that is just for the revenue:


And yet they do not license Software Engineers. In fact, one of the only states to offer a PE for Software Engineers is Texas and they are also one of the few to enforce their own laws, at one time penalizing Novell for calling their trained Command Line Jockeys "Network Engineers."

Some will argue that the guild socialism of licensure by a permission society is outdated and superseded by industry certifications and self regulation. That argument has much merit as industry is likely to keep up with rapid changes in technology and practices while government devolves into bureaucracy and red tape. However it is neither unreasonable nor overly restrictive for the State to require that key individuals in organizations like Equifax have these industry certifications, that they are current and for the State to bring significant criminal charges against those who fail to adhere to industry practices and against the managers who who allowed, or supported, the negligence.