Software engineers are engineers. So why don’t we regulate them—as we do other professions that build critical infrastructure?
One influential developer says we should. Leading light of the FreeBSD and Varnish projects, Poul-Henning Kamp (pictured), argues the time is way overdue for professional licensing, regulation, and liability.
Brace yourselves for deafening howls of anger, mixed with denial. In this week’s first edition of Secure Software Blogwatch, we don our ear protection.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Cannon Coaster.
[ Get key takeaways from a survey of 300+ security professionals on software security. Plus: Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks ]
‘The end of IT as we know it’
What’s the craic? Here’s Poul-Henning Kamp’s immodest proposal—“The Software Industry Is Still the Problem”:
“The time is way overdue”
Around the time computers were old enough to drink, software engineering guru Gerald Weinberg said: "If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization." … The ransomware attack on Colonial Pipeline in May 2021 probably marks the beginning of the end. … The woodpecker is not leveling individual, particularly bad buildings, it is leveling civilization, because all the buildings are bad.
…
Governments have finally noticed that a well-run nation-state is heavily dependent on an awful lot of computers working properly—computers that no one in the so-called "national security apparatus" previously gave much attention to.
…
In Denmark, 129 jobs are regulated by law. … With respect to gas, water, electricity, sewers, or building stability … the rules are always the same: Stuff should just work, and only people who are licensed—because they know how to—are allowed to make it work, and they can be sued if they fail to do so. … Totally absent on that list are any and all jobs related to IT; IT architecture, computers, computer networks, computer security, or protection of privacy. … The time is way overdue for IT engineers to be subject to professional liability, like almost every other engineering profession.
…
The astute reader is apt to exclaim, "This will be the end of IT as we know it!" … My considered response is, "Yes, please, that is precisely my point!"
Regulating developers? You gotta be kidding. Steven Melendez drops the other shoe—“A new Senate report finds the government is unprepared”:
“Quickly implement regulations”
In the past few years, ransomware attacks have crippled schools, hospitals, city governments, and pipelines. … Despite the heavy toll such incidents have on both the public and private sectors, government officials have only a limited understanding of ransomware attacks … according to a new report from the Senate Homeland Security and Governmental Affairs Committee.
…
The report calls on the Biden administration to quickly implement regulations. … It also suggested that agencies standardize how they track ransomware attacks. … According to the report, Congress should take action to facilitate sharing ransomware info between agencies and with private sector companies and academic researchers.
And it’s a short step from regulating data about infrastructure to regulating developers of infrastructure. agentultra can’t agree more:
“Let the folks who know what they’re doing run the show”
Can't agree more. I've been saying for years that we should have some professionalism added to the industry. It doesn't mean that everyone who writes code must be licensed. But to determine if software is fit for purpose you must be. Liability is important.
…
What I hope such a system would provide is a means to prevent companies from cutting corners for the sake of profits and give engineers the right to say what is fit for purpose. … The current system of liabilities don't protect the end users or dissuade the software industry from continuing on this destructive course.
…
We're not talking about your high school web project here. [But] we need to prevent companies from rolling the dice with our future and let the folks who know what they're doing run the show.
tl;dr? david.emery puts it more succinctly:
The idea is that you be responsible if your code is broken. In what other industry can people **** up as badly as software, with no consequences?
Naturally, there’s a long line of dissenting voices. Such as this, from u/MpVpRb”:
Demanding that software be made bug free under penalty of law is a nice fantasy. Unfortunately even the best of us can't make bug free software. If all software writers were punished for writing bad code, there would be no more software.
And this, from randomdata:
Security seems to be [Kamp’s] primary concern. Professional engineers working on buildings aren't liable for someone who decides to take a bulldozer to it to find its weakness, so it would be equally unreasonable for engineers to be liable for someone taking a 'virtual bulldozer' to software to find its weaknesses.
…
When it comes to software operating within known constraints, we're usually pretty good at delivering. The software in your car, for example, may be full of security holes if a human decides to attack it, but as far as working within the known environment, it is likely to work just fine and as expected. … If you want to stop people from driving bulldozers into your buildings, you're going to have to look beyond the engineers. That is not their area of expertise.
And this colorful metaphor, by Maxo-Texas:
I would never have never worked in a field like that for any amount of money if I was constantly risking financial ruin. It would be like holding doctors financially accountable for deaths from new or rare diseases.
Regulation, schmegulation—or so kvetches civilized:
[Kamp] makes a decent case that some sort of licensing should exist for some types of software development at some point in the future. But the devil is in the details, and the merit of the licensing process needs to be proven.
…
Regulators are valuable but we've also got a lot running around with red tape and power trips that they didn't earn. We're extracting thousands of dollars from low-income minorities for hairstylist licenses that benefit no one. We've got engineering boards punishing people for publicly (and correctly) disputing the math of red light timing. There's too much abuse. … Regulators need to be held accountable too.
Meanwhile, Tom blames customers, not the devs:
Pfft. By the time the whole **** comes crashing down, the person who bought it has done their two quarters, taken their golden handshake and moved on to the next company. What do they care?
And Finally...
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Keep learning
- Download the free report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks.
- See interactive sample reports to help your team stop software supply chain attacks and improve your security approach.
- Find out about how to secure your CI/CD workflows.
Image sauce: Andrew “Karora” McMillan (cc:0; leveled and cropped)
All Stories
Software Supply Chain Security
Dev & DevSecOps
CI/CD Security
Container Security