undefined | Better HN

0 pointsrapind4y ago0 comments

Who is “we” though. I think a lot of deva cut corners, a lot of managers insist on cutting corners (preferably without a paper trail pointing at them), and a lot of businesses hire inexperienced devs that wouldn’t even know where to start, because cheaper.

I don’t know how you coordinate this without regulation and something like P.Eng type certification (which comes with it’s own problems).

0 comments

6 comments · 1 top-level

nine_k4y ago· 5 in thread

I think you should certify systems in place, not engineers.

People without credentials but with experience and care can produce a reasonably secure system. People with credentials but under time pressure and contradictory requirements, and willingness to cut corners, can produce an unsafe system.

It's the system that fails. It can be inspected the way buildings are inspected.

rapindOP4y ago

Ideally I agree, but I’m not sure it will be effective. There needs to be concrete consequences, and there’s a lot of room to hide.

If we required something like a P.Eng, which (at least theoretically) means you are responsible with real consequences (for say bad building design) then certified employees will be far more reluctant to attach their name to shoddy practices. This bubbles up to the employer. If a client requires you to have certified P.Eng sign off then there’s some reassurance it’s not just going to fall a part.

I don’t think you need this for everything in a stack, but security wise it might be a good idea.

mcguire4y ago

"I don’t think you need this for everything in a stack..."

The problem there is that everything on the stack is a potential hole. The chain is only as strong as its weakest link.

mcguire4y ago

Certification of people is cheaper than certification of systems built by random people. For fun: Try to get a commercial building built that doesn't have an architect and structural engineer (both of which are certified professionals) somewhere in its background.

rapindOP4y ago

This is a really good point. Because the stakes are so high it makes sense. No one would want to live in a building that's yolo designed. Certifying and insuring it after the fact though would be really hard because a lot of critical decisions are hidden away.

We accept that possibility in SaaS though... for now.

Most successful SaaS applications probably weigh in at 250k LOC or more (I know LOC isn't a great metric, but it serves as an idea of an application's complexity) and will use many libraries that themselves could be questionable. Seems like it would be pretty complicated to certify.

MrQuimico4y ago

I totally agree.

j / k navigate · click thread line to collapse

0 comments

6 comments · 1 top-level

nine_k4y ago· 5 in thread

I think you should certify systems in place, not engineers.

It's the system that fails. It can be inspected the way buildings are inspected.

rapindOP4y ago

Ideally I agree, but I’m not sure it will be effective. There needs to be concrete consequences, and there’s a lot of room to hide.

I don’t think you need this for everything in a stack, but security wise it might be a good idea.

mcguire4y ago

"I don’t think you need this for everything in a stack..."

The problem there is that everything on the stack is a potential hole. The chain is only as strong as its weakest link.

mcguire4y ago

rapindOP4y ago

We accept that possibility in SaaS though... for now.

MrQuimico4y ago

I totally agree.

j / k navigate · click thread line to collapse