
How would we regulate software engineers? - RKoutnik
http://tavisharmstrong.com/2016/12/10/regulated-software-engineering/
======
VLM
I have some engineering background and you only have engineers in stable
predictable fields. You can predict quite accurately the failure load of a
bridge truss or a transistor and its easily testable and the whole process can
be simulated and verified top to bottom.

My guess is the wedge to bring in engineering would be network operations,
classic operations (not devops which just means we're gonna pencil whip the
ops responsibilities). Maybe large data center operations (thermal, electrical
loads, UPS, etc) is amenable to engineering workflows.

Software is simply too unpredictable. Both in development and operation.
Software is still in the "greeks and amber and rabbit fur experiments" stage
of electrical engineering.

~~~
mjevans
The ethical and competency attributes are still relevant. Particularly with
respect to actual engineering (architecture of the overall solution) aspects
of logic systems development and deployment.

~~~
slg
I think one of the main problems with ethics is the abstract nature of
software and development. Let's say you create an encryption algorithm. That
algorithm can be used by terrorists and pedophiles or it can be used by banks
and civil disobedients. Or let's say you create an encryption breaking
algorithm. That algorithm can be used by law enforcement and the judicial
system or it can be used by identity thieves and oppressive governments. Are
you as the developer responsible for all those uses? It is hard enough to know
how your employer will use your code in the future, but it would be literally
impossible for any open source software.

~~~
marichards
This kind of argument applies to anything, even paper. Encryption is just a
tool. A pipe can be used to hide and carry water, it can also be tampered with
to poison someone or conceal explosives.

~~~
slg
Which is why we don't force an ethical code on those producing pipes. We
instead decided to regulate their finished product. However if someone on HN
suggests regulating encryption, they aren't met with the most open arms.

------
headcanon
I think its difficult to find this kind of regulation for SE partially because
its so new and not well understood compared to other engineering professions.
What is software engineering? The kinds of things that would regulate, say,
programming an operating system kernel is not the same thing as someone who
makes wordpress templates. Yet both would describe themselves broadly as
Software Engineers. What is the difference between the aforementioned
wordpress-template-maker and someone building a full web application in React?
Where is the line that divides "Engineering" begin and end?

I can see a regulatory body develop certifications around software engineers
that develop critical infrastructure or spacecraft, where a single failure is
catastrophic, but that expertise might not apply for the person making the
interface app for the same piece of software (or working in some other layer
of the stack that is not so stringent). Is that person "less" of an engineer?
It opens the door to institutional bias towards what is considered "proper"
engineering, and much like relying on formal education for hiring, provide a
poor heuristic in hiring practices.

However I think that we will eventually get there once we figure out
collectively what "place" software has in society, once these divisions settle
down and become better understood, then we can figure out how to regulate each
properly. I think this could be 50-100 years from now.

~~~
goalieca
Wordpress template guy is doing a trade while kernel guy is engineering.

~~~
tarmstrong
Not all programmers (engineer or otherwise) are guys -- probably worth keeping
that in mind if you want this to be a welcoming community for everyone (:

~~~
goalieca
Sorry, i'm canadian buddy. I do call my wife and her girl friends "you guys"
from time to time.

~~~
tarmstrong
I'm Canadian too. I sometimes use "you guys" when speaking to a group that has
women in it; I don't use "guy" in the singular when talking about generic
technical roles because it implies that being a guy is part of the job. In
many cases this is effectively true due to sexism in the industry, so it's not
something to take lightly.

I don't think this is what you intended, to be clear! But I do think that is
how it would be interpreted, even by Canadian women.

------
Silhouette
How would we regulate software engineers? Badly.

We don't yet know how to reliably balance desirable goals in software
development, such as delivering a certain level of quality and reliability, or
delivering on time and on budget. That immediately undermines aspects such as
proof of competence or ongoing training that are usually associated with
regulated professions.

Moreover, I imagine the people in the industry who would be closest to getting
these things right are probably too busy working on building real systems to
spend much time teaching or assessing. If government officials started trying
to set up a professional accreditation scheme for software developers with
real legal weight, how many people here seriously believe the result would
_not_ be exams in Agile Software Craftsmanship Manifesto Driven Development,
written and assessed by high profile and no doubt highly paid consultants
whose total contribution to actual working code in high reliability or
otherwise important systems is less than the contributions of at least half
the people reading this comment?

We're not ready yet. With luck, we might be within at least some of our
lifetimes, but I wouldn't bet much money on it. And in the meantime, any
attempt to set this up would surely be subject to instant regulatory capture
by exactly the kind of vultures our industry needs to move away from if
standards are going to improve.

~~~
clifanatic
> how many people here seriously believe the result would not be exams in
> Agile Software Craftsmanship Manifesto Driven Development

Well, since the sort of people who set up regulatory exams are likely to be
the same sort of people who design college curricula, I don't think that would
be the case at all. I suspect that a software licensing exam would cover
things like algorithmic complexity, NP-completeness, pushdown automata, Turing
completeness, LR parsing, etc. etc.

~~~
Silhouette
_Well, since the sort of people who set up regulatory exams are likely to be
the same sort of people who design college curricula, I don 't think that
would be the case at all._

OK, you win. There actually would be a worse option than letting the
consultants do it...

------
marcoperaza
The first thing needs to be a culture change: "move fast and break things" is
not an acceptable philosophy when you're dealing with millions of people's
private conversations.

~~~
tarmstrong
OP here. I work at a company that is able to move quickly, and yes, sometimes
breaks things in the process. Tradeoffs between speed and safety are fine to
make, in my opinion. It does seem like it would be useful to regulate things
like ethical conduct, though. Maybe this dictates what systems are ok to move
quickly and break and which systems aren't. What do you think?

------
w8rbt
Probably similar to how other professions are regulated. Educational
requirements, internship requirements, licensing, yearly continuing education,
etc.

------
ForHackernews
Software engineers are not professionals like doctors, lawyers, or chartered
accountants. Real professionals have a degree of autonomy and their primary
obligation is to the ethical standards of their profession, not to their
employers.

~~~
tarmstrong
> their primary obligation is to the ethical standards of their profession,
> not to their employers.

OP here. The intended subtext of my post was that it would be nice if our
industry had ethical standards as well. (:

~~~
ForHackernews
That _would_ be nice. It also seems unrealistic in the current climate. What
you're suggesting is setting up some kind of Software Engineering Guild, which
would require a fundamental shift away from the naive individualism we see
today and toward a recognition of collective interests.

------
tannhaeuser
As to the discriminatory and societal problems you write about, I don't know.

But there are certainly standards for particular fields of applications, like
medical IT, enforced through stricter liability laws in that field.

In the 1990's and 2000's there was also a very long push for standardization
(POSIX/SUSV, programming languages, SQL, SGML/XML, IP protocols, etc.). These
efforts (and the success of Java) was also seen as a measure against Microsoft
becoming predominant in the 1990's by many developers.

But in this decade, it seems like this isn't anymore a priority. A guy here on
HN recently wrote that he'd never consider a language environment lacking a
"canonical" or solitary implementation (like, say Ruby, Python, PHP, Perl, or
other languages tied to their runtimes have). I found this very interesting,
as it's the opposite of what I'm doing (I use only use languages having a
language spec and multiple implementations).

I also see it as a generational phenomenon. Look at node.js today. Back in
2011 or so it started as a really practical asynchronous server-side
JavaScript runtime based roughly on CommonJS platform specs also implemented
by other JS runtimes. Nowadays, the entire reason to use JS in the first
place, its ubiquity/portability, is completely lost, and node.js build setups
are approaching or even surpassing J2EE-ish levels of complexity/absurdity
(webpack, babel, angularjs, etc.).

------
jbritton
I think there are a few really big problems. First is that nobody really knows
how to build reliable software. Well, maybe somebody somewhere does, but there
is no standard established method that can be studied and is known to work.
Second, software is a set of instructions to accomplish something. There
really is no method to design for a set of unknown instructions. Third, this
leads to massive confusion over what design even means with respect to
software. Ask 100 software developers what they think design means, and you
will get 100 different answers. Fourth, many software projects are reliant on
a massive stack of APIs to accomplish anything. It is often not known if these
APIs are bug free, or exactly how they are supposed to be used. There are
frequently unexpected complications using APIs. Sometimes just using third
party APIs becomes a research and development effort. How we build anything is
rapidly changing, because the community is still trying to figure out how to
do it better. User Interfaces on the web is the most glaringly example.
Nothing seems to survive for more than a year or two in this space. Many in
the community worked extremely hard to get degrees in Computer Science or
something similar and it is not enough. If there was knowledge that worked,
wouldn't it be imparted through a college curriculum? In my experience, the
upper level managers know nothing about software development and create
deadlines that are impossible to meet. Software is something not amenable to
being rushed. Code of any quality takes a lot of thought, time, consideration,
care, analysis, testing, documenting. It all goes out the window when
management starts dictating that the code must ship.

------
wickedlogic
You'd better spend your time, by regulating things that generate code and
validating/regulating that output.

~~~
nickpsecurity
Look up DO-178B market. They regulate the software lifecycle itself requiring
evidence each part is handled. After source is analyzed and tested, they also
do source-to-object code verification. Tools that generate code have to be
similarly qualified as you said. An example done by a top company in the
domain is below:

[http://www.eecs.northwestern.edu/~clk800/rand-test-
study/_er...](http://www.eecs.northwestern.edu/~clk800/rand-test-
study/_eruoctdsetiacf/uoctdsetiacf-2009-10-8-12-02-00.pdf)

------
mcculley
This question comes up once in a while. One solution to the complete lack of
regulation would be to have something like a bar association similar to how
lawyers regulate their profession. It wouldn't have to be a legal requirement,
but it would at least set a standard for membership.

------
catuscoti
Free speech. First Amendment covers source code and similar expressions.
Regulating free speech is virtually impossible. That is where the whole
project stops.

~~~
tarmstrong
There are regulations that affect the work of software engineers. PCI DSS is
one that I am familiar with. Perhaps unfortunately, if your software interacts
with the real world (like payments infrastructure), you have to heed
regulation. This tends not to affect people who are casually writing software
or working on many open source projects, but it does impact large companies
like Google.

(I like to think of this as pretty similar to the Haskell IO monad. At some
point you have to break out of your cozy side-effect free code and actually do
something. At that point you have to deal with the messy real world.)

~~~
EvanAnderson
PCI DSS isn't regulation. It's a standard promulgated by a private LLC (the
Payment Card Industry Security Standards Council).

HIPAA would be a much better example of regulation that is material w/ respect
to software development.

~~~
tarmstrong
Great point. Thanks!

------
kybernetyk
Good luck with regulating math.

------
parfe
A blanket ban on software developers lying about being engineers would be a
good start.

~~~
dimino
Is there a universally or even widely accepted difference?

~~~
mLuby
The difference between software developer and software engineer is ~$10k.
[http://www.payscale.com/research/US/Job=Software_Developer/S...](http://www.payscale.com/research/US/Job=Software_Developer/Salary)
[http://www.payscale.com/research/US/Job=Software_Engineer/Sa...](http://www.payscale.com/research/US/Job=Software_Engineer/Salary)

~~~
stale2002
lol, you realize that none of the Google "software engineers" are accredited?

Google Canada calls their employees software developers. Everyone would just
call themselves a different name and life would move on as nobody cares.

------
guard-of-terra
Regulation is a wrong word. Regulation is something pushed to you from above,
something that you did not ask for and that you'll try to evade using that
programmer-brain of you.

What we need is something that clearly comes from fellow developers.

------
dbg31415
Regulation would have to start with simple coding standards. Updated yearly.
Much like building codes. A project could pick what standards they wanted to
adhere to, and then everyone on the project would have to adhere to those
standards -- the whole project would be audited by a third-party after the
fact for compliance.

There are plenty of good, short, concise coding standards to draw from.
Especially useful in giving non-technical people the confidence that things
were built consistently... if not correctly even. This is about as simple as
it gets:

* WordPress Coding Standards – Make WordPress Core || [https://make.wordpress.org/core/handbook/best-practices/codi...](https://make.wordpress.org/core/handbook/best-practices/coding-standards/)

I'm sure there are others that aren't terrible.

I do think having more standards would help, standards defined by the devs on
the project. If they get to choose their benchmark, then it's just about
consistency of approach. Not a bad thing, right? Currently it's the wild west,
and the only thing a dev can do is say, "It's my word against theirs, their
code is bad."

~~~
EpicEng
Yeah, this kind of mentality produces utter shit like TOGAF. The code is still
crap written by mediocre devs, but now includes at least 100% more complexity
and needless abstraction!

~~~
phpnode
TOGAF - The Open Group Architecture Framework [0] for anyone else wondering

[0]
[https://en.wikipedia.org/wiki/The_Open_Group_Architecture_Fr...](https://en.wikipedia.org/wiki/The_Open_Group_Architecture_Framework)

