[qchris]

Every time this comes up, people (some of whom are in this thread) end up talking about how this can't/shouldn't happen for software. After all, what, is every high-schooler or green college grad that ever wants to code their own app for a startup going to have to be professional certification?

I guess I'd argue that those people shouldn't be legally allowed near this kind of thing without that kind of a certification. Looking into all of the other engineering disciplines, that's exactly the kind of thing you see. I have a BSME, but I haven't taken the Fundamentals of Engineering exam to get my FE cert, in part because getting a PE certification requires working underneath a licensed PE for a certain number of years, which isn't the case for my current job.

I also know that by not doing so, there are certain projects that I simply can't work on. I have to imagine that there's a way to create a legally enforceable framework that falls into the same category for software engineers. Want to build a company that creates a digitally-synced notepad? Have at. Want to touch personally-identifiable medical data? Better have a licensed engineer working on that project to sign off, else your company is wide-open to liability claims with teeth. If something unreasonable gets by the signed-off engineer, they're on the hook too.

Obviously, it's a complicated problem, and reducing things to a first-order solution rarely is a catch-all, but there has to be some more professional/personal responsibility taken by the individuals building these systems, and a requirement of licensure is a way of empowering engineers in those positions to the point where it actually matters.

[KMag]

> After all, what, is every high-schooler or green college grad that ever wants to code their own app for a startup going to have to be professional certification?

You answer your own question fairly well, but I'd add the observation that in licensed engineering domains, we don't always require licensed engineers. We have a licensing regime for structural engineers, but we don't require them for minor structures like gazebos or doghouses.

We could have licensed Software Engineers, but only require licensed oversight for software dealing with human lives (avionics, medical devices), PII, elections, and a few other critical cases.

[raxxorrax]

I think this is a bad idea.

I developed software for medical devices and you have to do a risk analysis, formalize the software development process, declare qualifications of people, make it revision proof, have a formal testing process, ... everything is already accounted for.

Notified bodies ensure compliance. They have the problem that they cannot really evaluate the work of software engineers of course. Not even another software engineer could do that within feasible time limits. No software engineer can make sure there aren't exploits that could endanger user data. You can at most test if due diligence was ensured.

The manufacturer is responsible for ensuring safe operations of devices and yes, that includes keeping personal data safe.

But again, the problem wasn't the engineer at all, the problem is the wish for amassing data like this. Paper license or not, it rarely ensures competency and wouldn't have solved this problem.

Aside from legislative issues that ensures that user data belongs to the user the data is about, ensuring that companies don't sell and share medical data with "friends and family", ... this is probably the last step, if it is even required at all, which I would dispute. There are no guarantees if you amass data like it was done here.

[rapind]

Make it prohibitively expensive to leak data (compliance fines, lawsuits) and the problem will solve itself. Companies that collect data will then be begging for certification and regulation.

[dependenttypes]

It would be even better if people learned to refuse to give data irrelevant to the service that they are seeking and/or if there was some sort of regulation about this (I should not have to give my name and address when returning a product for example).

[pnathan]

I would agree.

I've worked in critical infrastructure work and retain an interest in the field. A professional software engineering license should be legally required for certain classes of risk.

Ultimately the answer to an irresponsible feature ask should be:

> I will not approve implementing this feature, because in my professional training and experience, the risk exceeds the acceptable tolerances for a (spaceflight, medical, power systems) delivery. If I implement this and a failure occurs, I will be in court and my career over: I refuse.

[rorykoehler]

We could run a 2 tier system. Anyone can build apps but to build apps handling sensitive PII you need to be registered. Execs need to be liable for this to work.

[dependenttypes]

Guess I should go to jail for daring to make a script for me and my friends that uploads screenshots to my server without having a professional certification, huh? Same for releasing open source software.