varsock

society gains nothing by preventing a software developer from implementing ...

I see the point you are trying to make but I respectfully disagree. Technology is at the core of seemingly every field and at the core of technology is software. Will it result in direct bodily harm? Rarely. But indirectly the impact is certainly more substantial.

Take internet as an example. The significance of internet and information sharing cannot be disputed. Disturptions to information sharing can send ripples through services that provide essential services. Networking these days is accomplished Vida software defined networking techniques. And we are becoming more dependant on technology and automation.

I can see why the indirect risk is not as scary as direct risk, but you have to admit, as automation is growing and decisions are being made for us, regulation of those that build these systems should not be overlooked. Professional engineers have a code of ethics they have to adhere to and if you read through it you can see the value it would bring.

As a counter example to your "doctors are licensed to not kill people" - orthodontists, who move teeth around, pose no fatal risk to their patients. Should they be exempt from being licensed?

EDIT:

Just yesterday news was published by Reuters that Musk and managers at Tesla knew about defects of autopilot but marketed otherwise. If those working on it had been licensed, then negligence and decietfulness could line them up to lose their license and prevent them from working in this line again. It would bring accountability

getting a developer account with redhat you can have up to 10(?) instances of RedHat Linux LTS. super stable, is run on servers for many critical serves. Or just use rocky linux (bug for bug compatible with red hat) and establish a roll back procedure. There are rollback options at the filesystem level so you can snapshot before an update.

I use fedora and I don't typically have any issues and that is considered bleeding edge.

Macs have too many guardrails that get in the way which can be as disruptive as something breaking bc you need to work around it. But I am acknowledging that it is use case dependant.

This is the best suggestion for DIY, I can even get away without a printer and just write by hand. Perfect! Wish I could pin this comment.

nothing wrong with being self taught, you could follow these basics topics before poking holes in firewall.

1. VLANS: learn how to separate your LAN into networks with different security requirements. For wireless, try to make a "main" and "IoT" network so that IoT network that can't talk to your "main" network but "main" can reach IoT devices. For wired, try to have a Management network, and a "Dirty network" etc.
2. Firewalls and Routing: You will need to be able to route between your VLANS and set firewall rules to allow certain traffic. Best practice is block everything and allow only what you need.
3. NMAP: learn how to do NMAP scans of your network to discover hosts and their open ports/services. This is a similar approach that "hackers" and script kiddies use on the public internet to find vulnerae and open services. Being able to probe your own network is crutial in understanding how others might approach in penetrating it.
4. Wireguard VPN: Learn to access your network remotely by setting up a wireguard VPN. Wireguard is preferred because it is "stealthy" and will not respond to unsolicited attempted to probe your network. Start small by using wireguard to access between VLANs so you don't run the risk of using the internet.
5. NGINX and Reverse Proxy: If necessary, learn to expose your services or blog or website by only exposing nginx and proxying to your services. Many guides on securing NGINX exist. Try not to expose anything, but sometimes necessary if you want others to reach your website/blog/hosting etc.

That's a rough outline that you can use to guide yourself and achieve milestones with hands on experience. In your pursuit you'll run into certificates and domain name hosting and stuff. But all this is on the web so let your curiosity (and paranoia) drive! Have fun!!

The table of contents hints there is only one section relevant to security, Lab Firewall Config.

Anyone have experience with this book that could vouch for other chapters that explore best practices for security?

good question. Software and computer practices are changing much faster than other fields but with time, pillars are being better and better defined. Production quality code, CI/CD, DevOps, etc..

Civil engieers have a successful licensure process established. See my comment regarding that.

But an approach where a candidate would spend time under a "licensed professional software eng" would favor practical work experience over academic.

the trades is a great example of having to work under a professional. Other engineering disciplines also have successful licensure processes. See my comment regarding that.

There are parallels to be drawn between licensed professionals (like doctors, CPAs, lawyers, civil engineers) that they all have time under a professional and the professional then signs off and bears some responsibility vouching for a trainee.

I think it's important to check for competencies that are valuable to the employer during the interview process. However many, but admittingly not all, employers will use time constrained college level puzzels that a candidate can usually only solve if they have seen it before.

I've been on both sides of the interview process. In my day to day I use a debugger to verify and step through code all the time. Hacker rank, the leading platform to test candidates and generate a metric report, doesn't even have a debugger. Off-by-one index mistakes are sooo common to see from a candidate who is under time pressure. A few iterations with a debugger and problem solved. I advocate for candidates to develop on their on env and share their screen or bring it with them. But anyway, I'm ranting.

I agree with most comments arguing against a standardization and pointing to the weakness. I didn't say it works great, I just wish it was like some other professionals have. See my comment about other engineering disciplines that have a successful licensure process.

I agree with what you said, it is a shit show. but I wish it weren't so.

My good friend is a civil engineer and for him to obtain a Professional Engineer license (PE) he had to complete a four-year college degree, work under a PE licensed engineer for at least four years, pass two intensive competency exams and earn a license from their state's licensure board. Then, to retain their licenses, PEs must continually maintain and improve their skills throughout their careers.

This licencing approach is prohibitive to just "pay your way" through. This never caught on in software and computer eng because of how quickly it was (and still is) changing. But certain pillars are becoming better defined such as CI/CD, production-safe code & practices, DevOps.

to add to this, id like standardization of qualification and competencies - kind of like a license so I don't have to "demonstrate" myself during interviews.

I hate being in a candidate pool that all have a degree and experience, we all go through a grueling interview process on college basics, and the "best one gets picked." Company says "our interview process works great, look at the great candidates we hire." like, duh, your candidate pool was already full of qualified engineers with degrees/experience, what did you expect to happen?

you're incredibly helpful! thanks for linking these threads

welp! thanks for laying it out.

I'm curious how, if at all, this will affect Brave browser who is chromium based but natively bakes in ad block and tracker block. I assume manifest v3 is an API change, so unless Brave uses the API under the hood they should not be affected. But their performance is pretty stellar so maybe they have something more native to achieve this.

EDIT: WOW! checked the bug tracker and manifest V3 announcement goes back to 2018