[disport]

Another way to rephrase the question is: why don't networked devices require signoff from a professionally licensed engineer on its specific software implementation before it goes to market?

You see "forethought" in devices offered to the public when regulation DEMANDS it: think cars, bridges, medical devices, because (or so it's been rationalized), the public needs accountability (a named, professionally licensed, buck-stops-with-them head to roll) when that product can cause harm.

But software harms TOO!. Think privacy, banking, relationships. Those can be harmed. It's always felt to me like a historical accident that networked devices, really most software in general, slipped past this accountability requirement. Without a specific , named accountable person, security seems to fall into the not-my-problem phenomenon, and continues generates articles like from the OP.

In the imagined future where signoff from professional engineers was required, you'd see pushback against a vendor by the engineer until the implementation was secure, because the engineer's licensure was on the line until it was secure. And the vendor couldn't just "shop" for a favorable signoff, because every engineer would be held to the same ethical standard and penalty.

[Buttons840]

Software engineering licensure is an old debate. To say the least, I can easily imagine it making things worse, where let's say, all software has to be written in Java and get a rubber stamp by someone who hasn't actually built anything for years, and then still nobody gets held accountable when security breaches happen. Meanwhile, a bunch of college dropouts build something that's actually good using bulb, and then just have users sign away their rights in a contract instead of getting their software certified. And most of the world still runs on the Linux kernel which also had no interest in getting certified.

It's a hard problem.

[pas]

Ah, yeah. Well. Finance and accounting is a very regulated space, yet there are auditors that don't sign off on stuff, and miraculously the same stuff gets signed by a different one a bit later.

Also - and I'm not saying requiring sign off is a bad idea - , but it's not a coincidence that secure walled gardens look like a manicured Black Mirror dystopia.

[FpUser]

Software development is one of few areas where a simple folk with little money can start something great and make big bucks. Implementing your proposal on a global would kill it all and whole lot of innovation with it.

As they say "live and let live". We already have this control where it is needed. Leave the rest to manage their own affairs.