Is It Time To Certify Software Engineers?
It shouldn't be so easy for anyone to publish a poorly secured application to the public.
If you didn’t catch the latest consumer tech data breach, I wouldn’t have blamed you. The latest breach of a social medial platform that involved the selfies, photo IDs, and personal messages of tens of thousands of customers seemed to go buy the wayside as the country, understandably, reeled from it’s daily dose of stupid news. However, that is exactly what happened last week when the Tea App, who left the database containing their customer’s personal data, completely exposed to the public.
How bad was this data leak? Well the social medial platform aimed to provide a safe and semi anonymous place for women to discuss recent online dates, from platforms like Tinder and Hinge. If a guy was swell, then recent dates could leave good comments, and if there were any red flags - women could discuss them. Imagine, Glassdoor but for online dating. To sign up for the platform customers had to submit photo evidence which could come in the form of a selfie or an ID. The leaked messages included discussions around potential infidelity of partners, abortions, and reputation damaging claims about men mentioned in the app.
But what makes this breach particularly embarrassing for me is the absolute lack of engineering discipline. The “hack” involved directly connecting to a publicly exposed database that contained zero passwords or security measures.1 Any fresh out of college junior engineer would know not make such an error. Furthermore, this database was hosted in Firebase, which has a history of engineers incorrectly setting security.
This incident, as well as the numerous that have come before it, have led me to question whether it is time to place more safety guard rails around building and deploying applications. In most engineering, medical, or other disciplines that impact people’s lives, it is normal for practitioners to gain certifications for their specific line of work. These certifications are in addition to a college education and are used to verify that a professional is not only technically component, but also has a decent knowledge of the laws surrounding their profession and how to comply with those laws.
Accountants have their CPA’s, lawyers have specialization certifications, mechanical engineers have professional engineering licenses, and the list go on. But outside of a few IT and pointless cloud certifications, software engineers do not have certifications that permit engineers to build and deploy certain public projects.
Building and deploying software applications has minimum oversight like no other engineering profession. If a group of civil engineers decided they wanted to start constructing a skyscraper in their local downtown, there would be a decades worth of legal restrictions they would have to hop through. Software engineers - don’t even need to be engineers - in order to deploy a mass data harvesting application into the public. Besides time, energy, and some capital, nothing is stopping an individual from spinning up their own “Tea App” for customers to use.
The lack of safety guard rails has historically made sense both from a professional and application standpoint. Modern software engineering grew from a demographic that contained a decent number of self-taught individuals. I’ve worked with many engineers in corporate settings that either learned from online classes, dropped out of university, or taught themselves from textbooks. As a result, the field already contains a number of professionals that raise an eyebrow towards institutional education and certifications.
Practically, many early consumer software engineering applications were fairly innocuous. There is an easy argument to be made for why the individual publishing “Doodle Jump” probably shouldn’t have to be certified. However, we saw a considerable shift in the scope and responsibility of software applications in the early 2000’s with the rise of platforms like MySpace and Facebook. The social media platforms collected obscene amounts of information about their customers.
In order to certify an engineers understanding of laws relating to their professions, the profession needs to have laws. Even after the rise of massive data harvesting applications, countries lagged to build data privacy legal frameworks. Today, almost every country has some laws around data privacy, even if they are simple.
Yet if you ask most software engineers about laws surrounding personally identifiable information (PII) and relevant privacy laws, such as COPPA, HIPAA, and GDPR, you will likely be met with blank stares. So it should come with little surprise that social media and software application data breaches continue to happen.
Ultimately, there needs to be a higher barrier of entry for deploying applications that can potentially damage the reputation, safety, or privacy of an individual. The engineers building Tea App - an application designed to discuss potentially sensitive and reputation damaging content - should have been familiar with how to properly encrypt and secure sensitive data. Cloud companies like Google, that host the sensitive data that ultimately got leaked, should verify that the engineers using their storage solution have the qualifications necessary to comply with regional privacy laws. If we believe that the formal (or informal) education that the engineers have are not enough of an assurance, then the engineers should gain a certification that grants that assurance.
We don’t let any individual practice law, medicine, or any other branch of engineering. Software engineering is the golden exception. But why? My depressing assumption is that the consequences of such data breaches are not as dramatic or direct as the errors from other disciplines. When a bridge collapses or a group of patients receive faulty medication, the death toll is high and culprit is usually obvious. However, many of the life altering events of a data breach occur downstream. A guy keeps getting rejected from jobs, because unbeknownst to him his name is associated with a data leak, or a woman is stalked because a creep found her address from a data leak. The connections to the event are harder to draw. Yet they are real, and we can start to limit them by having higher standards for our engineers.