Ya know, the Roman tradition was, you gotta stand under the bridge while the army marches over it. If it collapses, you die too. Maybe there's something to having nudes of that dev.

Real engineering is expensive. And hard. moving atoms around is tough. I've never cut stone, but I've melted and cast copper and aluminum. That's real and dangerous work.

Computation is cheap and plentiful. And I kinda like having full control of "stuff". But maybe we do need licensing or personal liability. If I could wave a magic wand, and make that exist, I don't really know what rules I'd put in place.

How do you think people should get skilled up?

> How do you think people should get skilled up?

You didn't ask me but I can give you my answer: not on prod and with a lot of reviews!

> Maybe there's something to having nudes of that dev.

Most users of these sorts of app don't pay enough attention to security to care. Do you really think that most developers are any better?

Most developers are just normal people who happen to be able to write a bit of code and convinced someone to employ them. Just like anyone else, far too many live under the delusion that "it can't happen to me."

Translation: making them eat their own dogfood and risk their own embarrassment won't help; they would have to know better, first! =)

That's an interesting idea. Bridge builders and flight sims are used in industry to test to see if a bridge design will fail or if a plane will crash. They're not limited to oversimplified and fun video games.

I wonder if there's a market for a "write a CRUD app and let it loose on the Internet and watch it get pwned" simulator/game.

That's hiring a pen tester, and there is a market for it, but companies don't do it as much as they should because it costs money while the app already "works" and brings in revenue. Of the 3 I've worked at, only one had yearly pen tests done.

No one hires someone to test what happens when a bridge is shot with a missile from 6000 miles away. The bridge "works" in the same way that the software "works".

A software penetration tester has the same techniques and suite of tools for pwning as "the internet".

I don't see how that statement follows mine. Can you connect them at all?

I thought you were making the comparison that a pentester is like a missile shot at a bridge whereas the internet is the army walking over the bridge.

Oh, I see. No, the missile is a hacker attacking your software remotely. Bridges are just accepted that they will collapse if deliberately attacked by a determined attacker. Software is held to a higher standard, not a lower one.