Is it weird to say that these issues are too stupid for software engineer licensing to be a good answer? It's like buying a fleet of cherrypickers to pick lettuce.
And if we can't hold people accountable for their actual products being laughably insecure, I don't see how licensing enforcement is going to go better. For starters, the question of who should be required to hire licensed engineers is the same as who should be regulated/sued into compliance/oblivion regardless of licensing, and we clearly can't do that.
Everyone operates at the limit of their knowledge of the world (and their available resources).
It's just that some peoples knowledge is waaay more limited than others. And all we have is some form of self-regulation - from a science Viva to a engineering degree, we have no option other than to say "we think we have a measure of all human knowledge in this subject, and so we can judge if anyone else has same knowledge"
Just look at any "building disasters" TV show where unsafe extensions were added to houses etc. At some point someone says "that meets a standard"
do we do it before the guy leaves college? Do we do it during the build using independnat inspectors ala building codes? Do we do it in court after it's all fallen over?
I am not convinced that's software regulation is correct - I prefer to see software asa form of literacy and as such I am really reluctant to reign in "speech". I think software is so open to composability that best practises can come almost for free. Security is just one of those areas where you need a good understanding of the fundamentals.
> It's just that some peoples knowledge is waaay more limited than others.
This excuse ends when an expert reaches out to you and explains the exploit. At that point you've chosen the way of pain, one way or another.
> I am really reluctant to reign in "speech".
OTOH this question is pretty easy to answer: Regulation (of whatever type) applies to deployments, not code. Deployments are where the harm happens. I think this approach would even align the incentives correctly w.r.t. maintenance funding.
Can you give an example of any other domain where the entire domain is changed every decade?
Space exploration comes to mind, but again, still based on physics and chemistry.
The problem with the digital domain is we're literally just dreaming this stuff up and then being surprised when everyone has a hard time securing those dreams.
And if we can't hold people accountable for their actual products being laughably insecure, I don't see how licensing enforcement is going to go better. For starters, the question of who should be required to hire licensed engineers is the same as who should be regulated/sued into compliance/oblivion regardless of licensing, and we clearly can't do that.