
Certification?  Bring it on! - mattculbreth
http://weblog.raganwald.com/2007/07/certification-bring-it-on.html
======
geebee
I'm almost 100% opposed to a certification process that denies people the
right to code if they don't hold certification X.

But this post did get me thinking about a different kind of certification -
one based on safety rather than talent.

Society does have a reasonable interest in ensuring that applications that
process sensitive personal data - like Social Security Numbers, Medical
Information, Financial Information (bank account numbers) - meet a certain
standard. And most people have no ability to evaluate the dangers of coding
errors.

Society doesn't have the right to demand protection from untalented
programmers. If you try to pay as little $$$ as possible, your app may suck,
it may never get built, the wrong app may get built, etc... If you pay top
dollar, the same thing may happen. If you can't evaluate code, you can't
evaluate programmers, so you're hosed - and maybe you shouldn't be in this
game. If you decide to play it, buyer beware seems to work fine.

But the general public, whose medical information or ssn is in a database
somewhere, didn't decide to play this game - the game was played on them. So
we'd say - you don't need any certification to code. But you do need
certification to handle certain types of personal data.

And if there's a major hack of an application, we (the public) get to know
exactly whose "certified" signature was on that piece of paper.

------
weel
The argument about what hiring or training focus is "the best" is a little
silly, it seems to me, because different companies so obviously have different
requirements.

Take Google, as a prototypical high-tech firm, and Getronics, as a
prototypical business automation consultancy of the kind that tends to put
hackers to sleep but that is quite profitable nonetheless.

Google tries to do things that are sufficiently technologically ahead that it
will take competitors years to catch up. They'll work on problems before
anybody realized they had them, and do things that might seem ridiculously
speculative from the perspective of a Getronics executive, like statistical
machine translation. Their hiring and and training seems to focus largely on
finding, retaining, and developing intelligent generalists, and specialists in
esoteric fields where there is no such thing as certification programs.

Getronics, on the other hand, deals with big business clients who are often
satisfied with rather run-off-the-mill technology, as long as it's delivered
predictably and uniformly. (Of course, that's harder than it sounds.) A
typical big job for Getronics might be to help some organization upgrade from
a mainframe with terminals to a SQL server with PCs, without interrupting
operations. There's nothing particularly innovative about it (it's been done
thousands of times before), and it will likely be tolerated if the resulting
solution is a little clumsy, _but it had better not go wrong._

Getronics has a long and detailed internal training program, and they like
people with very specific experience. They have people who are specialists in,
say, office printing systems, and who know all the little quirks you'll run
into when you move from Novell print servers to Microsoft print servers. If
you work there for a number of years, you progress through a system of
internal certifications and ranks that begins to approach those of a military
organization.

For Google to behave like Getronics _or vice versa_ would probably be silly.
If I held shares in these companies, I'd probably want them both to continue
hiring and training much the way they do now, even though they're worlds apart
in the ways they do it.

------
spiralhead
I think it is natural for engineers (hackers, especially) to deal with
situations on an as-needed basis. We just solve problems. We make at least
SOME effort to solve them in such a way where they won't continually come back
and bite us in the ass but security catastrophes are like earthquakes. They're
low frequency events and therefore inherently difficult to learn from and plan
for. It's possible but time consuming, so the average lone hacker will not
bother until he absolutely must. We know it's important. It's in the back of
our mind at all times. But shipping product and getting users NOW will always
take precedence over architecting for the future, methinks.

And that is just the unfortunate reality for now until (heaven forbid) there
are some actual laws preventing it.

------
mattculbreth
Good article. I like this focus on the end result--can the guy create software
which works, is testable, is reliable?

I'd heard of a good way of interviewing an IT guy, like a network admin:

You give them a machine with no OS, tell them to load it with whatever OS you
usually use, join the network, and then do something pertinent to the job. If
you're hiring an infrastructure guy for a startup you might ask him to create
a machine with Ubuntu, Apache, Python, Ruby, Rails, Subversion, PostgreSQL,
etc. If the dude can do all/most of it, and if you watch what he does (good
use of the Internet? sensical file system setup? good eye for security?), then
you might have a winner.

~~~
jey
Yes, that IT test you cite is a good one, it actually test whether the guy can
get real work done. The test that raganwald proposes doesn't actually test
whether "the guy [can] create software which works, is testable, is reliable"
-- it's testing whether they pass the test. Knowing your shit is one way to
pass the test, but a _lot_ more people pass the test by just memorizing test
materials and learning the _test_ instead of learning the _subject_.

The situation might be improved if the whole Test Prep industry were made
illegal. The part that saddens me the most is that the people who make the
tests are also the ones selling the Test Prep materials to teach you how to
circumvent the test! argh.

------
mynameishere
Exactly. After 10,000 tests in 20+ years of formal schooling, one more should
do it.

~~~
raganwald
I laughed so hard I almost fell out of my chair. Nice one!

------
willarson
The best software is reliable, intuitive, and has genuinely useful
functionality. Like most ideas that violate the concept of the golden mean,
this idea is appealing but fundamentally broken.

He refutes his own point about the free market when he says it is currently
broken (businesses hire students with Comp. Sci degrees even though they can't
necessarily program well), but that the same broken free market will be
sufficient to determine if programmers can program well.

Identifying one arbitrary facet of software development and demanding that
coders be experts at it, even if they can't do anything else, is shortsighted.
This would make sense if testing was truely the hardest aspect of programming:
if testing was the great ravine that thwarted aspiring programmers.

That, however, has not been my experience. Testing is not trivial, but making
good design choices and understanding the concepts of programming that he
disparages will take longer to learn than testing, and the free market has
proven it evaluates these qualifications coarsely at best.

To be an expert is to have absorbed the symbols of your domain to the extent
that they can be used effortlessly. Testing is only one of those symbols, and
focusing on is flawed. So is ignoring it completely.

~~~
raganwald
"He refutes his own point about the free market when he says it is currently
broken (businesses hire students with Comp. Sci degrees even though they can't
necessarily program well), but that the same broken free market will be
sufficient to determine if programmers can program well."

You are assuming that the goal of the free market is to hire good programmers.
It isn't. Do you think managers are holding their heads in their hands,
moaning that they can't find good programmers? Outside of start ups, they
don't care.

That is why I say the free market works. Yes, business hires Comp. Sci. people
from "JavaSchools," but that's what they want!

I am not suggesting that someone with this hypothetical certification is an
expert, or even good. I think I said that five or even six times in the post.
Don't confuse the rant with a hypothetical measure of a "good programmer." It
isn't!!! It is a description of qualities I personally think are necessary but
not sufficient.

Please do not put words in my mouth about what I value and what I disparage. I
said I do not care about certain things for the purpose of having this
hypothetical certification. Take a few minutes googling me or reading my blog
before deciding what I value or disparage.

So back to the free market: the "problem" with the free market for programmers
is similar to the "problem" with the free market for pollution, worker safety,
and a bunch of other things we regulate.

We have discovered that left to their own devices, businesses will make
choices that expose their workers, their customers, and the public to danger.

I don't care if a business making software for dive computers hires someone
who takes four times as long to write code for half the hourly wage. The
business can make the call about whether this makes sense.

But I do care that the calculations are not broken, exposing me to death
through Oxygen Toxicity, Nitrogen Narcosis, or the Bends. I'm not going on a
crusade, it's just a post, but it's obvious to me that if businesses are left
to make choices for themselves, they will put their customers in harm's way.

And that's all I want to prevent.

Summary: certification of the type I described is meant to be necessary but
not sufficient. It doesn't say a Chef can cook well, it says a chef will not
accidentally poison the soup.

~~~
willarson
As per inserting words into your mouth, I addressed your argument, not you.
Regarding my post as if it were a personal attack is a disservice.

I don't follow your point about it being obvious that businesses will, left to
themselves, put their customers in harm's way. Left to themselves businesses
will do what maximizes profits. The behaviors that maximize profit are
determined by the demand established by consumers. When consumers are
unwilling to pay a premium for safety, then businesses will not provide safe
products. Thus it is consumers, in their uninformed quest to maximize utility,
that are hurting themselves.

Consumers need better information so they can make better decisions, as it
stands they are making a flawed choice (assuming that safety is indeed worth
more than we currently pay for it). On the other hand, businesses are making
the only rational decision available by continuing to produce unsafe products
for customers who won't adequately compensate companies for safer products.

Your certification mandates an additional cost on business, one that customers
are currently unwilling to pay for, and thus fulfills the role of taxation,
which--if we are going to buy into the free economy myth--will result in lower
overall utility: for both customers and businesses.

~~~
raganwald
By your argument, we should abolish laws regulating workplace safety, product
safety, and pollution control.

All of these things could be enforced by consumer demand, but they are not.
All of these things impose a cost on business, driving up prices.

There is room for believing that the free market should be unfettered to the
point that businesses can be left to choose what level of safety to provide
for workers, left to choose whether to make safe products, and left to choose
whether to pollute our environment.

If you believe that, I think we differ at some axiomatic level, not a logical
level.

I know that businesses are making "rational" decisions. But just because it
"maximizes their utility" doesn't mean I want them to do it. Enron was
rational. Why do we pass laws against its behaviour? Why can't we leave it to
the marketplace to choose where to invest?

Again, this is a deep, axiomatic issue. If you are fundamentally against a
regulated environment, I understand your view without agreement.

~~~
willarson
Consumers will buy the products that grant them the most utility. Workers have
resources to create the environment such that safe workplaces create products
with higher utility (by striking in unsafe environments, demanding higher pay
in unsafe environments). Thus workplace safety can be, _and is_ , enforced by
consumer demand.

Product safety is indeed regulated by consumer demand. People who value safety
purchase safer cars, and safer cars exist to be purchased. When contact
solution of a certain brand was found to be contaminated earlier this year,
people stopped using it, even before the findings were certain. This is
because the expected utility of using the product had fallen compared to that
of other brands, and thus it was no longer worth its price.

Pollution control is similar to safety. People are willing to pay a premium
for less polluting alternatives. Look at Google scrambling to declare itself a
green entity. Look at the resurgence of locally grown food (which consumes
less fuel in transport), but often costs more. There are real market forces
exerting pressure upon businesses to provide less polluting services. It isn't
clear that regulatory forces are being very successful (among other examples,
Kyoto Protocol has failed miserably to achieve a meaningful shift).

Enron wasn't rational, as evidenced by committing wide-scale fraud. They were
in a euphoric panic, simultaneously high off of their success and panicked
that they could not maintain it. Their cavalier disregard to legality and
honesty destroyed their company, and even without a governmental body to
enforce regulations it seems inevitable that the gathering weight of their
deception would have swallowed them whole. They pretended to have resources
that didn't exist, and eventually consumers would have been awakened to this
truth via a catastrophic failure of one sort or another: the existing
government regulation certainly did nothing to curtail the financial pandemic
that Enron's bloated corpse transmitted to America's economy.

You have a solid point, that we often don't like which actions are rewarded in
life, and that it often seems like government regulation can improve on the
allotments of resources: that an organization can compensate for the flawed
actions of humans.

This is why we now have organizations (UN) that supervise organizations
(countries) that supervise organizations (pronvinces) that supervise
organizations (municipal districts), that supervise people. I always thought
the idea was to build layers of abstraction on top of _working_ components.
Somehow stacking layers of flawed implementations has always seemed to magnify
and obfuscate flaws rather than compensate for them.

------
Tichy
At last one hiring "test" where I would utterly fail. It doesn't sound like
much fun, either, so it would probably be for the better.

~~~
raganwald
No, it really isn't much fun. Nor is it fun for Chefs to sit in class learning
about hand washing protocols (there is a right and a wrong way to wash your
hands).

Keep that in mind the next time you eat at a restaurant where they pay the
food prep people minimum wage!

~~~
Tichy
Point taken, and I am always subconsciously aware of the fact that eating out
is icky.

However, I think there is a fundamental problem: if the protocol is too
tedious, people will just ignore it. Then the situation is worse than before,
because the protocol gives you a false sense of security.

Rather than complain about the people, I think it would make more sense to
complain about the protocol and change it in such a way that it is impossible
to get around it (without it being so tedious).

Example: in the bakery, the bread slicing machine only works with the
protection down, so theoretically the worker can't possibly cut off his hands.

Also, a worker should be aware of the fundamental issues, rather than just
follow a protocol like a robot. Especially with security, isn't it the most
common reason for security to fail that people construct doors with foolproof
security, only to leave a gaping whole open right next to it?

~~~
raganwald
I think it would make more sense to complain about the protocol and change it
in such a way that it is impossible to get around it (without it being so
tedious).

Isn't this the basis for things like binary milestones, iterative development,
continuous integration, and so forth? An attempt to set up the system such
that the easiest thing to do is also the highest value thing to do, without
being too draconian?

In the end, carrots work better than sticks, I quite agree.

~~~
Tichy
If I was exactly sure what all these names stand for, I could answer that ;-)

I am sorry that my comment sounded so negative. Actually, I was really
impressed about the certification I would fail. All the other "how to hire"
articles so far were like "check that the candidate can add 2+2". And I wish I
knew more about the methods you propose.

Isn't there always a lurking feeling of "there has to be a better way" in
programming?

------
gleb
There is some correlation between presence/specific college/type of degree and
certain relevant properties of a worker. That's why employers want to know.
That's why everybody puts this info on the resume.

Do read this <http://paulgraham.com/judgement.html>

~~~
raganwald
Nice. Did you know that Port goes well with Fruit and Cheese?

You may find this goes well with that:

[http://weblog.raganwald.com/2005/07/why-you-need-degree-
to-w...](http://weblog.raganwald.com/2005/07/why-you-need-degree-to-work-for-
bigco.html)

;-)

~~~
gleb
Do read that PG article. A simple non-emotional and non-defensive answer to
the hiring manager telling him you didn't go to college, but rather did
whatever else you did would be best, IMO.

How did you spend your your time in the mid-eighties, btw? You've got me
intrigued now.

~~~
raganwald
I read that article when PG published it, and again when you mentioned it.
What makes you think I gave a defensive or emotional answer to the
intermediary who asked the question?

I'm perfectly aware of the fact that the person asking the question either
considers this piece of data of paramount importance OR they have twenty
resumes on their desk that all look the same, and they're looking for an easy
way to winnow the pile down to three, so even if it isn't that important, it's
a way to shorten the pile.

I personally doubt that they were looking at twenty nearly-identical resumes.
My experience is that either of two situations hold: first, they might really
believe this is the most important thing they need to know, or second, they
might not be particularly skilled at identifying good candidates.

Note that I am not claiming I'm a good candidate: but if I'm not worth an
interview, they should be able to tell without that question, the facts are in
plain view.

