I think in addition to the measures he says, if you're hiring for a web position, it's good to make sure they understand how the stuff they're using functions. If they don't have a good grasp of how http works / url parameters / that kind of thing, then they can have some nice looking code which seems to work, but has faulty assumptions that can be security and bug nightmares down the road.
Of course, you could always take smart people and train them - but seriously, who does that anymore?
Web programmers who follow your advice usually sound like idiots who don't know much about what they're doing. Lots of them like to reimplement wheels like HTTP caching, HTTP authentication and content negotiation, even error codes (!). I have grown tired of stupid shit web "programmers" without knowledge of HTTP are capable of generating. Especially when paid by an hour.
I agree with you 100%. For web programming, I'd say it is understanding the http protocol. Many people can code in asp.net or even write servlets but don't know how session work, cookies or basic things like the differences between GET and POST.
Also keep in mind that there is a industry full of recruiters who don't agree! If the job ad says you need previous experience with Boongolatr.js version 3.147 then Boongolatr.js version 3.147 it is. Then good fundamentals and knowing Scheme, Haskell and shit won't help you.
I would say that if a web dev can articulate http verbs, their uses, and how to design a cohesive naming strategy and documentation scheme, that's all they need to be competent. There is no need to read the HTTP RFS for most design tasks. I can understand those requirements for Google, AWS, Facebook devs, but 90% of the work out there doesn't need that level of understanding to make something decently performant.
We can assume that many HN readers are closely related to Web programming. Either they do it themselves or their wage gets paid because their employers' business depends on Web apps.
If the article is right that it is close to impossible to hire a Web developer that understands all Web security issues and knows to mitigate them, it does not come as a surprise that there is fierce criticism to the article. It basically says you are doing a hopeless job and your employers' business model is flawed.
I'm not a Web developer, but I find the article very convincing. From what I follow headlines Web programming changes very quickly and the frameworks change all the time. Meaning that smart people are not happy with what is available, writing new stuff. Yet I don't think security has been the primary driver for any new framework. They are still parsing text. So let's see whether the author has any fundamentally different approach in his next post (if anybody remembers to read it)
Disclaimer: I work in embedded and our company advertises to be very secure. I know that our security sucks.
Just so everyone is aware, the guy is not an expert in web development. Neither is he a frontend engineer.
When this hit pieces some against an entire tech-stack, always check the author's job, past expereince.
Our industry has not matured enough to split into expertise areas into solid titles, and grow respect for those titles just yet. As the author's title points it out very clearly as "Software Engineer".
Try getting a Job in any sizeable company by building your entire experience with HTML and tell me how it goes.
totally agreed abbasmehdi "find people who are..." and thanks for the comment.
regarding basic web development: we've built several sites over the last 10 years, but have never learned to hack in a language (e.g. RoR); just bits of code as needed and lots of 'wysiwyg' manipulation.
we're basically trying to build a web application and think given our current jobs and lives it would take us a year or longer (much, much longer!) to acquire that sort of skill set, so we think best handled by experts (or experts in training).
How would a non-technical person hiring a freelance web developer to do their site know that developer learned everything from W3Schools and is going to leave gaping security holes?
Yes, a great interview question. And it's quite surprising how many devs do not know those things and still manage to build successful web applications, if not necessarily the most performant/secure/maintainable.
I disagree on that point. Web development is not the same as Desktop dev. Because HTTP is something you should know if you want to code solid and secure Web applications. If you don't know how it works, you'll end up with forms validated only with JavaScript, double submit because people are loading pages, etc.
Sure, but there are limits. If you have a company that is heavily focused on web dev, you are naturally going to want people who have web dev experience. Maybe you won't mind too much if someone with a lot of talent has a history with Python or PHP and your current systems are based on Rails, but you will probably be a lot more cautious if someone applies with a background in programming IBM/360 systems and knows nothing about html or the web?
I do think it's important to hire on talent, but I think the other extreme of a super generic "computer-based problem solver" is very unrealistic. Not every company can afford the delay of bootstrapping someone into having expertise with the technologies the company uses.
There's also an issue with how many full stack web developers who are actually capable of doing all the things he lists.
My experience is that at some scale it works out okay, but beyond a certain point it just falls flat for most. We deal with insanely talented developers, who will trash a database, because it don't understand how it works. Talented JavaScript developers, who don't really understand how HTTP works... or load balancers, or caching... or webservers. Sometimes you get these fantastic software machines as deliverables, complex, you can't monitor them, or configure much, and the it just implements a basic feature of HA-Proxy or Apache, but badly.
My point is that they should be paid poorly, because they fail to be excellent at every part of their job, but rather than: Yes, this should in most cases not even be a job title. If you find someone who can do all of this well, you almost can't overpay, but are you really sure that you want to tie everything up on one person anyway?
The problem is that a big part of a web developer's job is communication. You need to take business (or loose) requirements and turn it into an application that works.
Even MIT grads are having trouble? That surprises me. There seems to be a lot of work for web coding monkeys. Are people just being stupidly pedantic about requiring X+ years of experience in random trivial technology Y?
There's sometimes a huge mismatch between what the employer is asking, and his needs.
For example, at my current job we're asking for an expert in HTML5, JQuery, CSS2.1, CSS3, JavaScript, Ajax, Mobile Web Development, Mobile Web Performance, Cross-Browser, Cross-Platform Development; debugging tools (Firebug or equivalent), DOM, Internationalization, Localization, Apache.
The truth is, we have one of the ugliest websites, on an awful CMS, and our webpages are on ASP (not .NET, plain old ASP circa 1999) with VBScript hosted on IIS 5.
What such a rockstar web developer will be doing here beats me (the company does pay way above average wages locally, but such a developer can work for the US).
We've already wasted somebody who was a decent web programmer (he's doing mailing lists for the Marketing department), I guess that the selected applicant will end up doing ASP pages (maybe they'll let him migrate portions of the website very slowly).
It's not really arguable - HTML is not programming, it's markup.
But the point is not to make someone employable as a "hot-shot startup whizz"; just to teach them some basics so they can communicate with devs as equals.
And anyway, it would be worrying if just taking a few coding lessons would qualify someone to be employable as a programmer at all :)
Of course, you could always take smart people and train them - but seriously, who does that anymore?
reply