My take on how a decade (or more) of using cloud services for everything has seemingly deskilled the workforce.
Just recently I found myself interviewing senior security engineers just to realize that in many cases they had absolutely no idea about how the stuff they supposedly worked with, actually worked.
This all made me wonder, is it possible that over-reliance on cloud services for everything has massively deskilled the engineering workforce? And if it is so, who is going to be the European clouds, so necessary for EU’s digital sovereignty?
I did not copy-paste the post in here because of the different writing style, but I get no benefit whatsoever from website visits.
I get what you’re saying, but also see the other side - these services exist and aren’t ever going away, so the level of knowledge you need about these to use them at least competently is significantly reduced.
What their existence does mean is that there are thousands of developers who wouldn’t ever touch or learn any of this stuff previously are now actually learning it and using it. That’s a positive thing. Not everyone needs to be an expert on the inner workings of everything that a service provides unless you’re specifically looking for an expert.
Also……people lie on CVs and cover letters. If your ad has buzzwords and technology X, Y, and Z, then you should expect people with little to no knowledge of at least one of those things to have all 3 on their resume.
I applied to a place that asked “experience in SquirrelScript” - that seemed like a personality test, I told the truth: 0. Surprisingly, when I got hired there, they were indeed one of the three places in the world using SquirrelScript at the time. Manager said that over half of applicants professed deep experience with SquirrelScript, but none ever had it for real. It wasn’t hard to learn.
If too much of these services are provided by another country, that country could severely cripple your infrastructure by denying you service. In times of international conflicts, this could be a very serious problem.
I partially agree, but not only we are looking for experts of that thing, we are also looking for security experts, and security knowledge is very much meta-knowledge. A software developer might not care at all about - say - how the CI/CD works, because all they care is that the thing builds the code. A security expert generally has a broader scope, and their job is not functional, which means their job is exactly understanding the thing to be able to model the risks around it. So they might not care of all the tools used in that CI/CD or the exact details of the steps, but they should understand the execution flow, the way third party dependencies are pulled, verified, consumed, the authorization model etc.
There is no such thing of security professional who doesn’t understand - at least from an academic point of view - the overall setup of a thing they worked with.
If I take the image attestation example I made in the post, I consider the “inner workings” to be the cryptographic details, such as ciphers and their working mechanisms, or the exact details of the way that attestation can be verified offline, or what exactly is computed and how. I am OK with someone not knowing this. But not understanding the whole flow? Well, without this what’s left? Copying the 3 lines of code that do something from the Github documentation? Any software engineer can very much do that, what is your contribution as a security specialist?
Totally agree. It is very likely, although the more people I interview, the more I think that they are not lying from their perspective. It’s that people can legitimately make a career today by stitching together stuff with scotch tape, spending years by just by doing that and effectively have little to show for those years. But from their perspective, they might be experienced in that stuff, maybe?