The analogy does work. The house is any software provided by any vendor. The kind strangers are white hat security researchers. The people living in the house are the users.
Software absolutely has baseline materials, have you never written software before? Never used a library? Programming language? API? Protocol? Data format or specification? CPU instruction? Sorting algorithm? A standard material is just a material tested to meet a standard. A 10d nail is a 10d nail if it meets the testing specs for 10d nails (ASTM F1667). Software can be tested against a spec. It's not rocket surgery.
No known practices with acceptable results?? Ever heard of OWASP? SBOMs? Artifact management? OIDC? RBAC? Automated security scanning? Version control? Code signing? Provenance? Profiling? Static code analysis? Strict types? Formal proofs? Automated testing? Fuzzing? Strict programming guidelines (ex. NASA/DOD/MISRA/AUTOSAR)? These are things professionals know about and use when they want standard acceptable results.
What are you talking about re: space shuttle and tens of millions? Have you actually read the coding standards for Air Force or NASA? They're simple, common-sense guidelines that any seasoned programmer would agree are good to follow if you want reliability.
I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about, or jaded old fogeys who were on some horrible government project and decided anything done with rigor will be terrible. That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions. I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
AI is going to introduce 100x more security holes than before, so something will have to be done to improve security and reliability. We need to stop screwing around and create the software building code, before the government does it for us.
> What are you talking about re: space shuttle and tens of millions?
GP was almost certainly referring to "They Write the Right Stuff," an old article that is pretty well known in spaces like this. It discusses a process that (a) works extremely well (the engine control software was ~420 kLoC with a total of 17 bugs found in a window of 11 versions) and (b) is extremely expensive (the on-board shuttle software group had a budget of ~35 million per year in mid-90s dollars).
> The analogy does work. The house is any software provided by any vendor.
Even before we start, you immediately have a problem. When a house is built, the thing to be inspected is built in the jurisdiction requiring the inspection.
If you have some code being written in China or India and some US jurisdiction wants to require the sort of programming practices you're suggesting, is the US going to send inspectors to other countries? How do they even validate that the processes are being followed either way? And what are you proposing to do with all the existing code that was written in the past? Requiring the company to have a checklist included in their book of procedures that nobody is actually following doesn't solve anything.
The way this nominally works for building inspections is that the inspector waits until after the work is done and then inspects the work, but that's a validation of the result rather than the procedures. The equivalent for code is an audit, which is dramatically more labor intensive for the government than sending someone to have a quick look to see if the wires appear to be hooked up right, if you expect it to actually do anything.
> I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about
There are too many armchair experts saying "if they can land a man on the moon then surely they can land a man on the sun."
> That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions
First notice that you're listing all the professions where costs are out of control and the incumbents have captured the regulators to limit supply.
On top of that, those regulations are not even effective in solving the analogous problem. For example, the ethical requirements for lawyers nominally require them to do the thing public defenders aren't provided with the ability to do, i.e. spend enough time on the case to give the client adequate representation. Public defenders are given more clients by the state than they have the resources to actually represent. Quite unsurprisingly, this utterly fails to solve the problem of indigent defendants not having adequate representation.
But that's the thing most analogous to what you're proposing. If you nominally require companies to do something they otherwise have no real incentive to do, which you have no efficient way of verifying that they've done, and provide them no additional resources to do it, you can't expect "they will now do it well" to be the result.
> I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
What makes you think the software developers are the ones objecting to it? They, and the incumbent companies trying to raise costs on smaller upstarts, are the ones trying to establish a new racket and exclude newcomers from the industry. The ones objecting are the customers, and anyone who values efficiency and efficacy.
> We need to stop screwing around and create the software building code, before the government does it for us.
"We need to stop screwing around and create the Torment Nexus, before the government does it for us."
Software absolutely has baseline materials, have you never written software before? Never used a library? Programming language? API? Protocol? Data format or specification? CPU instruction? Sorting algorithm? A standard material is just a material tested to meet a standard. A 10d nail is a 10d nail if it meets the testing specs for 10d nails (ASTM F1667). Software can be tested against a spec. It's not rocket surgery.
No known practices with acceptable results?? Ever heard of OWASP? SBOMs? Artifact management? OIDC? RBAC? Automated security scanning? Version control? Code signing? Provenance? Profiling? Static code analysis? Strict types? Formal proofs? Automated testing? Fuzzing? Strict programming guidelines (ex. NASA/DOD/MISRA/AUTOSAR)? These are things professionals know about and use when they want standard acceptable results.
What are you talking about re: space shuttle and tens of millions? Have you actually read the coding standards for Air Force or NASA? They're simple, common-sense guidelines that any seasoned programmer would agree are good to follow if you want reliability.
I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about, or jaded old fogeys who were on some horrible government project and decided anything done with rigor will be terrible. That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions. I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
AI is going to introduce 100x more security holes than before, so something will have to be done to improve security and reliability. We need to stop screwing around and create the software building code, before the government does it for us.