[bob1029]

I would hesitate to put all of computer engineering into the same bucket.

Continuing the analogy, Some mechanical engineers were better at learning from their exploded boilers than others were.

A few (many?) of us in the industry have been quietly watching and learning from the explosions occurring across the street. About once a week you find some wreckage strewn across the way and you find familiar stories in the tangled mess - "Too much webscale", "didnt care about the business", "meme language crippled productivity", etc. Usually doesn't take a forensic mastermind to determine why a software product exploded - at least in strategic terms.

> Does this mean we need more stringent regulatory and certification regimes for IT and computer security?

No. We do not need any more arbitrary regulatory & certification processes in our lives. If you have a specific business application that requires additional scrutiny (i.e. nuclear reactor scram control system), then the appropriate domain-specific regulations & certifications should be applied. It makes absolutely no sense to impose these constraints upon the field at large.

[mschuster91]

> It makes absolutely no sense to impose these constraints upon the field at large.

As soon as you deal with customer PII, it does make sense to mandate a) insurance and b) standards.

Just how much PII got compromised because of failure to adhere to basic IT security standards? Target got hacked because they put IoT devices on the same network as the cash registers and CC readers. Web shops are hacked every day because of software unpatched for years. Hospitals and other critical infrastructure get hacked on a weekly basis because of even more unbelievable security issues (like, once again, running unpatched software and lacking network segmentation).

And don't get me started on the utterly disgusting shit you see in smartphone BSPs. The stuff that vendors do there is just mind boggling - if I were a secret service looking for an exploit, I'd start in the horribly patched-together kernels. Or in IoT devices that are outdated the very moment they leave the factory floor.

Yes, we definitely need a lot more mandatory quality control and standards.

[bob1029]

I dont think the full meaning of my post was taken to heart.

> If you have a specific business application that requires additional scrutiny (i.e. nuclear reactor scram control system), then the appropriate domain-specific regulations & certifications should be applied.

Feel free to replace "nuclear reactor scram control system" with "PII" or any other less urgent thing that makes the particular business nervous. There are many problem domains where you literally cannot fuck this stuff up even if you tried.

The stakes for indie game developers are substantially different than those for a F500 insurance company.

We definitely need to get the fuck out of other people's business. If you dont want someone to have your PII, dont share it with them. Regulating everyone on the same axis is pure tyranny when the problem space is so large.

[mschuster91]

> The stakes for indie game developers are substantially different than those for a F500 insurance company.

No they are not, if your indie game has network connectivity that has security bugs it can and will be exploited.

[corty]

It does, however, make sense to take a lesson from medicine: Networked computers with common vulnerabilities are prone to herd infections in analogy to biological epidemics, mass hysteria, etc. So it does make sense to e.g. preventatively quarantine all unpatched windows boxes, prescribe security measures and development practices for those systems, where a network-wide spreading event may be caused.