I thought it would be interesting to circle back now at the end of the year to see how Crowdstrike is doing, the company whose bug grounded global airlines, amongst other disruptions, for over a...
I thought it would be interesting to circle back now at the end of the year to see how Crowdstrike is doing, the company whose bug grounded global airlines, amongst other disruptions, for over a day. Many people predicted that the company would go under, or be "sued to oblivion".
Stock price wise, they've nearly recovered to their pre-incident peak, and they're solidly up 40% from the start of the year. They don't seem to have lost any major customers per their earnings call.
In terms of lawsuits, the only current outstanding lawsuit is from Delta Airlines, but Crowdstrike actually counter-sued Delta. We'll have to see how it works out, but boring cash settlement would be my guess.
They seem in a perfectly fine position, essentially. The incident is just a blip in time that most people will have forgotten about. Sometimes, reality doesn't play out like you think it will.
I think it's very much one of those situations that won't be a total deathknell unless it happens again. Once is an accident, twice is a pattern. Big contracts like these generally aren't gonna be...
I think it's very much one of those situations that won't be a total deathknell unless it happens again. Once is an accident, twice is a pattern.
Big contracts like these generally aren't gonna be dropped immediately. But I'll bet you a nickle a lot of big clients are keeping an eye out for competition in a way that they weren't before.
I understand the regulatory environment that allows companies like CS to survive, but as a person in the IT field, I hate everything about it. Check box CYA compliance, with the absolute threadbare minimum put in to the actual security product.
I'm not surprised, maybe it's selection bias, but this seems to be the trend. T-Mobile has been breached multiple times (three times in 2023 alone, iirc) and, despite line keeps going up for them....
I'm not surprised, maybe it's selection bias, but this seems to be the trend.
T-Mobile has been breached multiple times (three times in 2023 alone, iirc) and, despite line keeps going up for them. I think in total they've been able to get away with a couple hundred million in fines and judgements, which would be a lot of money if they weren't a giant telecom company.
Even SolarWinds, while not doing as well, seems to be ticking a long bruised, but not broken. My understanding is that they're still being used by the U.S. federal government, despise the severity of the 2020 breach and the incompetence leading to it. A lawsuit was originally filed against their CISO, and for a second there I thought we may see some accountability. But, as of 2024, my understanding is that no individuals at SolarWinds have been criminally charged or held personally liable for the 2020 cyberattack.
It really leaves me with the impression that businesses can skate by on bare minimum cyber security, as long as there's some plausible deniability--at least for the larger more established ones.
This is completely true even at smaller scale. I am an IT consultant, and I specialize in smaller companies that don't have full-time dedicated IT management. I just did a yearly cybersecurity...
It really leaves me with the impression that businesses can skate by on bare minimum cyber security, as long as there's some plausible deniability--at least for the larger more established ones.
This is completely true even at smaller scale. I am an IT consultant, and I specialize in smaller companies that don't have full-time dedicated IT management. I just did a yearly cybersecurity insurance review for one of them; the 'worksheet' provided by the insurance company was, quite literally, 'do you have product x installed on your workstations', where x is a shitty antivirus that causes more problems than it solves, and is itself a large attack surface. If the answer is yes, we get a great rate in the insurance, end of the worksheet. If the answer is no, we lose our policy.
Nobody in the chain, from my client to the insurance company itself, understands the tech in any detail at all. I can make my recommendations (and to my client's credit, they do their best to work within our limitations) but fundamentally our hands our tied in many ways because we have to use shit like CS to keep our insurance, which we do need, even though I have been very clear that many of these decisions actually raise our risk profile.
But in the end, CYA trumps almost everything in the corporate world, at least with the way things are right now. It really is maddening.
This came up at my last workplace - devs chafed against frequent password resets, citing evidence that they're counterproductive to security. But that didn't change the fact that changing...
This came up at my last workplace - devs chafed against frequent password resets, citing evidence that they're counterproductive to security. But that didn't change the fact that changing passwords for our workstations at a certain frequency was a box that needed checked for some security certification or another, and what our customers cared about was that we could point to that security certification.
I didn't want to come across as too conspiratorial sounding, especially without a lot of hard data to back up my hypothesises. It wouldn't surprise me to see the same behavior just about anywhere....
I didn't want to come across as too conspiratorial sounding, especially without a lot of hard data to back up my hypothesises. It wouldn't surprise me to see the same behavior just about anywhere. It really feels like the general public is only protected by the security experts who successfully manage to wrestle in a win or the developers who squeeze in a little bit extra care.
The accountability trend and games being played here seem clearer to operations and leadership than to those on the front lines. Hopefully, folks in the trenches don't forget to cover their own asses so they aren’t scapegoated when leadership neglects security.
Nothing conspiratorial about it; cybersecurity is a shitshow. Part of it is misaligned incentives such as check-box compliance theatre, but to cut the industry (a little) slack, security is a...
Nothing conspiratorial about it; cybersecurity is a shitshow. Part of it is misaligned incentives such as check-box compliance theatre, but to cut the industry (a little) slack, security is a really, really hard problem, even with well understood, well defined systems.
When it is seen as a cost center frustration that makes it hard to do your job properly (which is how it is seen by 99%+ of the world), hard becomes almost impossible. You wind up making a lot of compromises just to keep some semblance of things running, but how the sausage is made is really ugly. I think it genuinely would shock people to know how many companies out there are surviving because of a single, non-backed up Excel horrorshow running on a server that is a structural component to the shelf that holds the water cooler*, or some other equally awful Sword of Damocles.
I bought as much of their stock as I could afford shortly after the incident and I have no regrets. There are no other players in this game at this scale. There are so many multi-year contracts...
I bought as much of their stock as I could afford shortly after the incident and I have no regrets.
There are no other players in this game at this scale. There are so many multi-year contracts that they literally could not fail because of a single issue.
I think that their position to be able to halt half of the businesses in the west with a single update is absolutely insane but it was obvious that they weren't going down from this.
In that vein, while I can't speak to other players existing/not existing in this market, you are spot on about multi-year contracts being the norm. If they're going to see an exodus, it'll be when...
In that vein, while I can't speak to other players existing/not existing in this market, you are spot on about multi-year contracts being the norm.
If they're going to see an exodus, it'll be when those contracts have a year or two remaining and the companies start doing RFP's for replacements. It's going to be a slow bleed, if at all (as others noted...short memories and all). I would be surprised if Crowdstrike still has as large of a customer base in 5 years, especially if more competition springs up, but 6 months is far too soon to evaluate the long-term health of a company like this, short of having corporate espionage gauging what their customers are doing.
My company didn't immediately ditch LastPass when the data breach announcements went out....but we sure as heck started investigating alternatives and were ready to flip over the day the contract ran out.
It was a stupid, expensive, mistake but also sits in the area of "shit happens," even if it led to a world of IT workers losing sleep over it (myself included). Any company is capable of a mistake...
It was a stupid, expensive, mistake but also sits in the area of "shit happens," even if it led to a world of IT workers losing sleep over it (myself included). Any company is capable of a mistake of that magnitude, unfortunately.
I would really really really like to be clear that the level of "shit happens" here is sorta like saying "well of course when you operate on someone without gloves or sterile instruments, some are...
It was a stupid, expensive, mistake but also sits in the area of "shit happens,
I would really really really like to be clear that the level of "shit happens" here is sorta like saying "well of course when you operate on someone without gloves or sterile instruments, some are going to get infections".
Like yeah...that's true, but why the fuck were you doing that in the first place?
Shit happens from the perspective of us, the consumer. Obviously this was a failure of some sort of internal policies at CloudStrike, but it is also the sort of lapse that will occur eventually in...
Shit happens from the perspective of us, the consumer. Obviously this was a failure of some sort of internal policies at CloudStrike, but it is also the sort of lapse that will occur eventually in any sort of regulated system.
I've got to push back on this. The mistake was not a 'shit happens' level event, it was something that even barebones testing would have caught. The unprofessional behavior of the level that...
I've got to push back on this. The mistake was not a 'shit happens' level event, it was something that even barebones testing would have caught. The unprofessional behavior of the level that allowed this to happen should rise to the level of criminal complaint, and I am being serious when I say that.
Other industries have expensive and time-consuming to obtain certifications and degrees and titles one must possess before being able to operate/work in that field, since history has taught us...
Other industries have expensive and time-consuming to obtain certifications and degrees and titles one must possess before being able to operate/work in that field, since history has taught us humans that people who construct buildings, work with fire, heal people or later those who were engineers, carry with them a special obligation towards others in their group.
Somehow, Computer Science and its application fields have managed to evade requiring proof of not just knowledge, but also responsibility before a standardized governmental or otherwise official board. With all its up- and downsides – low cost of entry into the job field on the one hand, disaster-enabling clueless management without profession associations keeping them in check on the other.
A civil engineer, architect or surgeon could literally lose the right to practice their job they trained hard to work for over a screw-up half the category of whatever Crowdstrike allowed to happen. Accordingly, even in big firms and offices where the technical employees don’t provide the management people, such errors tend to happen, at least mostly, in less severity.
I have an engineer friend of mine that is especially angry at the title of software engineer. Their stance is that anybody with that title should have to go through the kind of certification...
I have an engineer friend of mine that is especially angry at the title of software engineer. Their stance is that anybody with that title should have to go through the kind of certification process and accountability that a regular engineer does.
We need to bring back demands for 99.9999% uptime, for all software. About 52 minutes of downtime a year. And "intermittent availability" counts against that downtime. This "fail fast" mentality has poisoned the idea of stability.
The technology is even there now for things like hot-patching kernels, which was the hardest sore spot of the past.
Some software development has standards that rise to the demands of civil engineers. But also most software isn't so important or long-lived as the work of civil engineers. It's ridiculous to...
Some software development has standards that rise to the demands of civil engineers. But also most software isn't so important or long-lived as the work of civil engineers. It's ridiculous to demand 6 9s of uptime from all software.
I generally prefer stupider terms for my title: Computer Man or Webmaster.
While the "all" was a bit hyperbolic, I would say that the following should definitely be: Databases. Operating systems and the hardware that uses them. Server processes (ie NGINX, Node, k8s,...
While the "all" was a bit hyperbolic, I would say that the following should definitely be:
Databases.
Operating systems and the hardware that uses them.
Server processes (ie NGINX, Node, k8s, etc).
The reason I say all is because all should strive for it. Especially any app that is being sold. The thing is, those top 3 used to be pretty damn reliable in that vein if the effort and money was spent to actually make it happen. It can still happen today, but it requires a fundamental shift away from the "make the developer's life easier" mentality into "damn the developer's convenience, make the thing always work."
The problem is that when anybody slouches, you end up with endlessly cascading bugs as people rely downstream on stuff.
The main point being that the title "software engineer" should be reserved for people who are qualified for proper engineering tasks....like designing and testing car interfaces. It is mindboggling to me that any of these things make it out of QA.
Well, sure, just like I can throw together a good garden shed without the same rigor as building a house. But I genuinely do think that anything that handles PII should be treated with severe...
Well, sure, just like I can throw together a good garden shed without the same rigor as building a house. But I genuinely do think that anything that handles PII should be treated with severe consequences if mishandled, and if that stops the flow of rampant data collection for marketing from crappy apps, even better.
I've worked in tech the majority of my career, and I'm right there with you. I wish there was a real, genuine cert that actually carried some weight, like the PE license. Maybe someday.
I've worked in tech the majority of my career, and I'm right there with you. I wish there was a real, genuine cert that actually carried some weight, like the PE license. Maybe someday.
The issue is that all the top universities stop paying for engineering certification for their CS programs, so if you wanted to make a protected title everyone would just change the word rather...
The issue is that all the top universities stop paying for engineering certification for their CS programs, so if you wanted to make a protected title everyone would just change the word rather than apply the restriction, since you’d lose all of your top talent.
I'd say security is more important than uptime. As other posters says, some projects might not need 100% uptime. However, if a user reuse passwords and that software get breached, the attacker may...
I'd say security is more important than uptime. As other posters says, some projects might not need 100% uptime. However, if a user reuse passwords and that software get breached, the attacker may credential stuffing to other software. Not to mention other potential use of PII.
I shudder to think about people who don't pass my interview bar so they have to find work somewhere, they might work for the companies that take government contracts and build things that store my data within the government...
Is your friend in the US? If so, most engineers here are not required to have a PE to work on projects. Most engineers work in industries/companies covered by an industrial exemption and I have...
Is your friend in the US? If so, most engineers here are not required to have a PE to work on projects. Most engineers work in industries/companies covered by an industrial exemption and I have never heard of a "mechanical developer" title. As far as I can tell, only civil engineers really need a licensed PE to sign off on work. Not only that, but "engineer" is generally not a protected term here, so plenty of engineers should be drawing your friend's ire.
Lastly, the difference between designing a bridge and designing something like CrowdStrike is that designing a bridge occupies a much smaller problem space with known good solutions. CrowdStrike is constantly changing to counter evolving threats. A PE signs off on a bridge once and that project is done for a long time. Will you find a software PE that can understand every subsystem in CrowdStrike, verify it was done correctly with no fatal flaws, and then do that verification every week when they update? It literally cannot exist without the industry grinding to a halt if not outright regressing.
If something arises here, it will look much different than what civil engineers go through.
I do see job postings seeking other engineer types based in the US with an active PE license, so while its not as entrenched here, the likely thing preventing more uptake is a lax regulatory...
I do see job postings seeking other engineer types based in the US with an active PE license, so while its not as entrenched here, the likely thing preventing more uptake is a lax regulatory framework.
Ideally you would have sufficient numbers of PEs to do the work required within a reasonable timeframe. And while unexpected interactions are inevitable, having some sort of equivalence means a better adherence to basic QA.
The thing preventing more uptake is probably that it's not necessary. PE first came about because of cost overruns and a theory that a licensed engineer could predict costs better. An engineer is...
The thing preventing more uptake is probably that it's not necessary. PE first came about because of cost overruns and a theory that a licensed engineer could predict costs better. An engineer is one who does engineering work (and engineering work is what an engineer does). It stands to reason that if society existed for this long without airplanes falling out of the sky every day that society likely did not need as many PEs to exist as claimed because unlicensed engineers are still good at doing engineering work.
On page 34 here, it shows ~1M engineering licenses, but that counts licenses per state and not number of people who hold a license. Many engineers hold licenses in each state because engineering licenses are not a federal concept but a state one. NSPE estimates there are over 2M practicing engineers. So at best, ~50% of practicing engineers are not licensed, but at worst, ~75% of engineers are not licensed.
At the end of the day
NSPE also uses the term engineer for non-licensed engineers (see above "practicing engineer")
at least half of practicing engineers are not licensed engineers
software engineers don't have an avenue to go get licensed, so if this were a moral issue, then go yell at the non-software engineers for not getting licensed first
engineers existed before licenses started to come about in 1906 (took 40 years for all states to adopt)
most countries don't have a license requirement for engineering work
engineers that have a problem with the term "software engineer" because of licensing better not call themselves engineers outside of the states that they are licensed in!
In the course of my research, I learned that it's relatively uncommon to have a PE in the aerospace, mechanical, chemical and electrical fields. It is extremely common with civil engineers.
Yeah, getting your PE license is a waste of time and money for most engineers outside of the construction/civil engineering space. I don’t think I’ve seen one in my industry, and I’m in Med...
Yeah, getting your PE license is a waste of time and money for most engineers outside of the construction/civil engineering space. I don’t think I’ve seen one in my industry, and I’m in Med Device/Pharma which many laypeople might assume would require a PE. I’m sure they exist, but it’s definitely not commonplace or a necessity.
If anyone is interested in the details of how it happened and how they fixed the bugs, CrowdStrike published a postmortem. It looks to me like enough bugs were fixed that it’s unlikely to happen...
If anyone is interested in the details of how it happened and how they fixed the bugs, CrowdStrike published a postmortem.
It looks to me like enough bugs were fixed that it’s unlikely to happen the same way again, or in similar ways.
I thought it would be interesting to circle back now at the end of the year to see how Crowdstrike is doing, the company whose bug grounded global airlines, amongst other disruptions, for over a day. Many people predicted that the company would go under, or be "sued to oblivion".
Stock price wise, they've nearly recovered to their pre-incident peak, and they're solidly up 40% from the start of the year. They don't seem to have lost any major customers per their earnings call.
In terms of lawsuits, the only current outstanding lawsuit is from Delta Airlines, but Crowdstrike actually counter-sued Delta. We'll have to see how it works out, but boring cash settlement would be my guess.
They seem in a perfectly fine position, essentially. The incident is just a blip in time that most people will have forgotten about. Sometimes, reality doesn't play out like you think it will.
I think it's very much one of those situations that won't be a total deathknell unless it happens again. Once is an accident, twice is a pattern.
Big contracts like these generally aren't gonna be dropped immediately. But I'll bet you a nickle a lot of big clients are keeping an eye out for competition in a way that they weren't before.
But this is the second time a fuck up of such colossal magnitude is at the feet of the CEO!
https://www.hindustantimes.com/trending/crowdstrike-ceo-george-kurtz-was-cto-of-mcafee-in-2010-global-tech-disaster-101721471586633.html
I understand the regulatory environment that allows companies like CS to survive, but as a person in the IT field, I hate everything about it. Check box CYA compliance, with the absolute threadbare minimum put in to the actual security product.
I'm not surprised, maybe it's selection bias, but this seems to be the trend.
T-Mobile has been breached multiple times (three times in 2023 alone, iirc) and, despite line keeps going up for them. I think in total they've been able to get away with a couple hundred million in fines and judgements, which would be a lot of money if they weren't a giant telecom company.
Even SolarWinds, while not doing as well, seems to be ticking a long bruised, but not broken. My understanding is that they're still being used by the U.S. federal government, despise the severity of the 2020 breach and the incompetence leading to it. A lawsuit was originally filed against their CISO, and for a second there I thought we may see some accountability. But, as of 2024, my understanding is that no individuals at SolarWinds have been criminally charged or held personally liable for the 2020 cyberattack.
It really leaves me with the impression that businesses can skate by on bare minimum cyber security, as long as there's some plausible deniability--at least for the larger more established ones.
This is completely true even at smaller scale. I am an IT consultant, and I specialize in smaller companies that don't have full-time dedicated IT management. I just did a yearly cybersecurity insurance review for one of them; the 'worksheet' provided by the insurance company was, quite literally, 'do you have product x installed on your workstations', where x is a shitty antivirus that causes more problems than it solves, and is itself a large attack surface. If the answer is yes, we get a great rate in the insurance, end of the worksheet. If the answer is no, we lose our policy.
Nobody in the chain, from my client to the insurance company itself, understands the tech in any detail at all. I can make my recommendations (and to my client's credit, they do their best to work within our limitations) but fundamentally our hands our tied in many ways because we have to use shit like CS to keep our insurance, which we do need, even though I have been very clear that many of these decisions actually raise our risk profile.
But in the end, CYA trumps almost everything in the corporate world, at least with the way things are right now. It really is maddening.
This came up at my last workplace - devs chafed against frequent password resets, citing evidence that they're counterproductive to security. But that didn't change the fact that changing passwords for our workstations at a certain frequency was a box that needed checked for some security certification or another, and what our customers cared about was that we could point to that security certification.
I didn't want to come across as too conspiratorial sounding, especially without a lot of hard data to back up my hypothesises. It wouldn't surprise me to see the same behavior just about anywhere. It really feels like the general public is only protected by the security experts who successfully manage to wrestle in a win or the developers who squeeze in a little bit extra care.
The accountability trend and games being played here seem clearer to operations and leadership than to those on the front lines. Hopefully, folks in the trenches don't forget to cover their own asses so they aren’t scapegoated when leadership neglects security.
Nothing conspiratorial about it; cybersecurity is a shitshow. Part of it is misaligned incentives such as check-box compliance theatre, but to cut the industry (a little) slack, security is a really, really hard problem, even with well understood, well defined systems.
When it is seen as a cost center frustration that makes it hard to do your job properly (which is how it is seen by 99%+ of the world), hard becomes almost impossible. You wind up making a lot of compromises just to keep some semblance of things running, but how the sausage is made is really ugly. I think it genuinely would shock people to know how many companies out there are surviving because of a single, non-backed up Excel horrorshow running on a server that is a structural component to the shelf that holds the water cooler*, or some other equally awful Sword of Damocles.
(* a 100% real example from years ago)
To keep it short, I think we see very eye to eye here!
I bought as much of their stock as I could afford shortly after the incident and I have no regrets.
There are no other players in this game at this scale. There are so many multi-year contracts that they literally could not fail because of a single issue.
I think that their position to be able to halt half of the businesses in the west with a single update is absolutely insane but it was obvious that they weren't going down from this.
In that vein, while I can't speak to other players existing/not existing in this market, you are spot on about multi-year contracts being the norm.
If they're going to see an exodus, it'll be when those contracts have a year or two remaining and the companies start doing RFP's for replacements. It's going to be a slow bleed, if at all (as others noted...short memories and all). I would be surprised if Crowdstrike still has as large of a customer base in 5 years, especially if more competition springs up, but 6 months is far too soon to evaluate the long-term health of a company like this, short of having corporate espionage gauging what their customers are doing.
My company didn't immediately ditch LastPass when the data breach announcements went out....but we sure as heck started investigating alternatives and were ready to flip over the day the contract ran out.
It was a stupid, expensive, mistake but also sits in the area of "shit happens," even if it led to a world of IT workers losing sleep over it (myself included). Any company is capable of a mistake of that magnitude, unfortunately.
I would really really really like to be clear that the level of "shit happens" here is sorta like saying "well of course when you operate on someone without gloves or sterile instruments, some are going to get infections".
Like yeah...that's true, but why the fuck were you doing that in the first place?
Shit happens from the perspective of us, the consumer. Obviously this was a failure of some sort of internal policies at CloudStrike, but it is also the sort of lapse that will occur eventually in any sort of regulated system.
I've got to push back on this. The mistake was not a 'shit happens' level event, it was something that even barebones testing would have caught. The unprofessional behavior of the level that allowed this to happen should rise to the level of criminal complaint, and I am being serious when I say that.
Other industries have expensive and time-consuming to obtain certifications and degrees and titles one must possess before being able to operate/work in that field, since history has taught us humans that people who construct buildings, work with fire, heal people or later those who were engineers, carry with them a special obligation towards others in their group.
Somehow, Computer Science and its application fields have managed to evade requiring proof of not just knowledge, but also responsibility before a standardized governmental or otherwise official board. With all its up- and downsides – low cost of entry into the job field on the one hand, disaster-enabling clueless management without profession associations keeping them in check on the other.
A civil engineer, architect or surgeon could literally lose the right to practice their job they trained hard to work for over a screw-up half the category of whatever Crowdstrike allowed to happen. Accordingly, even in big firms and offices where the technical employees don’t provide the management people, such errors tend to happen, at least mostly, in less severity.
I have an engineer friend of mine that is especially angry at the title of software engineer. Their stance is that anybody with that title should have to go through the kind of certification process and accountability that a regular engineer does.
We need to bring back demands for 99.9999% uptime, for all software. About 52 minutes of downtime a year. And "intermittent availability" counts against that downtime. This "fail fast" mentality has poisoned the idea of stability.
The technology is even there now for things like hot-patching kernels, which was the hardest sore spot of the past.
Some software development has standards that rise to the demands of civil engineers. But also most software isn't so important or long-lived as the work of civil engineers. It's ridiculous to demand 6 9s of uptime from all software.
I generally prefer stupider terms for my title: Computer Man or Webmaster.
While the "all" was a bit hyperbolic, I would say that the following should definitely be:
Databases.
Operating systems and the hardware that uses them.
Server processes (ie NGINX, Node, k8s, etc).
The reason I say all is because all should strive for it. Especially any app that is being sold. The thing is, those top 3 used to be pretty damn reliable in that vein if the effort and money was spent to actually make it happen. It can still happen today, but it requires a fundamental shift away from the "make the developer's life easier" mentality into "damn the developer's convenience, make the thing always work."
The problem is that when anybody slouches, you end up with endlessly cascading bugs as people rely downstream on stuff.
The main point being that the title "software engineer" should be reserved for people who are qualified for proper engineering tasks....like designing and testing car interfaces. It is mindboggling to me that any of these things make it out of QA.
Well, sure, just like I can throw together a good garden shed without the same rigor as building a house. But I genuinely do think that anything that handles PII should be treated with severe consequences if mishandled, and if that stops the flow of rampant data collection for marketing from crappy apps, even better.
I've worked in tech the majority of my career, and I'm right there with you. I wish there was a real, genuine cert that actually carried some weight, like the PE license. Maybe someday.
The issue is that all the top universities stop paying for engineering certification for their CS programs, so if you wanted to make a protected title everyone would just change the word rather than apply the restriction, since you’d lose all of your top talent.
I'd say security is more important than uptime. As other posters says, some projects might not need 100% uptime. However, if a user reuse passwords and that software get breached, the attacker may credential stuffing to other software. Not to mention other potential use of PII.
I shudder to think about people who don't pass my interview bar so they have to find work somewhere, they might work for the companies that take government contracts and build things that store my data within the government...
Is your friend in the US? If so, most engineers here are not required to have a PE to work on projects. Most engineers work in industries/companies covered by an industrial exemption and I have never heard of a "mechanical developer" title. As far as I can tell, only civil engineers really need a licensed PE to sign off on work. Not only that, but "engineer" is generally not a protected term here, so plenty of engineers should be drawing your friend's ire.
Lastly, the difference between designing a bridge and designing something like CrowdStrike is that designing a bridge occupies a much smaller problem space with known good solutions. CrowdStrike is constantly changing to counter evolving threats. A PE signs off on a bridge once and that project is done for a long time. Will you find a software PE that can understand every subsystem in CrowdStrike, verify it was done correctly with no fatal flaws, and then do that verification every week when they update? It literally cannot exist without the industry grinding to a halt if not outright regressing.
If something arises here, it will look much different than what civil engineers go through.
I do see job postings seeking other engineer types based in the US with an active PE license, so while its not as entrenched here, the likely thing preventing more uptake is a lax regulatory framework.
Ideally you would have sufficient numbers of PEs to do the work required within a reasonable timeframe. And while unexpected interactions are inevitable, having some sort of equivalence means a better adherence to basic QA.
The thing preventing more uptake is probably that it's not necessary. PE first came about because of cost overruns and a theory that a licensed engineer could predict costs better. An engineer is one who does engineering work (and engineering work is what an engineer does). It stands to reason that if society existed for this long without airplanes falling out of the sky every day that society likely did not need as many PEs to exist as claimed because unlicensed engineers are still good at doing engineering work.
On page 34 here, it shows ~1M engineering licenses, but that counts licenses per state and not number of people who hold a license. Many engineers hold licenses in each state because engineering licenses are not a federal concept but a state one. NSPE estimates there are over 2M practicing engineers. So at best, ~50% of practicing engineers are not licensed, but at worst, ~75% of engineers are not licensed.
At the end of the day
In the course of my research, I learned that it's relatively uncommon to have a PE in the aerospace, mechanical, chemical and electrical fields. It is extremely common with civil engineers.
Yeah, getting your PE license is a waste of time and money for most engineers outside of the construction/civil engineering space. I don’t think I’ve seen one in my industry, and I’m in Med Device/Pharma which many laypeople might assume would require a PE. I’m sure they exist, but it’s definitely not commonplace or a necessity.
If anyone is interested in the details of how it happened and how they fixed the bugs, CrowdStrike published a postmortem.
It looks to me like enough bugs were fixed that it’s unlikely to happen the same way again, or in similar ways.