Forgot your password?
typodupeerror
Security Software

Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do? 310

Posted by Soulskill
from the red-alert dept.
An anonymous reader writes "I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids. This year we migrated to a new technology platform including server hosting and application framework. I was brought in towards the end of the migration and overall it's been a smooth transition from the users' perspective. However it's a security nightmare for sysadmins (which is all outsourced) and a ripe target for any hacker with minimal skills. We do weekly and oftentimes daily releases that contain and build upon the same security vulnerabilities. Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department. I inform my direct manager and colleagues about security issues before they are deployed and the response is always, 'we need to meet deadlines, we can fix security issues at a later point.' I'm at a loss at what I should do. Should I go over my manager's head and inform her boss? Approach legal and tell them about our many violations of COPPA? Should I refuse to deploy code until these issues are fixed? Should I look for a new job? What would you do in my situation?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do?

Comments Filter:
  • EASY (Score:5, Insightful)

    by houbou (1097327) on Wednesday December 04, 2013 @05:08PM (#45600633) Journal
    Document your correspondences to your boss when you notify vital security issues. Make sure your e-mails are not only backed-up, but you get read receipts or something showing your boss opened the e-mail (and might have read it). Keep those receipts archived. When poop hits the fan, at least, you are protected.
  • Da fuq? (Score:0, Insightful)

    by Anonymous Coward on Wednesday December 04, 2013 @05:11PM (#45600701)

    Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department.

    Well there's your problem.

  • Re:Find a new job (Score:4, Insightful)

    by Aighearach (97333) on Wednesday December 04, 2013 @05:13PM (#45600727) Homepage

    Or just care less.

  • Re:Find a new job (Score:4, Insightful)

    by mlts (1038732) * on Wednesday December 04, 2013 @05:15PM (#45600783)

    Seconded. This is a pile of manure just waiting to fall onto someone as a scapegoat, and it might be that the application is already compromised.

    Approaching legal won't do the trick. They will immediately turn around and tell the boss that so and so have gone over their head... and this won't be good for future (or present) job prospects.

    Were I in your shoes, I would be honing my LinkedIn profile, updating the resume, maybe shooting for a certificate or two for keywords, and starting the hunt.

    In previous IT jobs, I've heard the mantra, "security has no ROI" plenty of times, followed by, "Geek Squad can fix it if we get hacked" when I ask the obvious followup question. When you hear that song and dance, run.

  • Paper trail (Score:5, Insightful)

    by bugnuts (94678) on Wednesday December 04, 2013 @05:18PM (#45600827) Journal

    Plain and simple, keep your old emails, offline. If you get cornered for a conversation in person or phone, no problem... just dash off an email stating "You know how you were telling me at lunch not to worry about the security vulns? This still really bothers me. There's got to be a way to mitigate it without affecting deadlines. Imagine the missed deadlines if we lose our infrastructure to an easy hack."

    Don't sound like a troublemaker, but rather, a concerned worker.

    Make it clear you're the professional, and in your professional opinion and that of industry standards, security is sorely lacking. Itemize the issues you have in an email. Keep that email.

    Support their decisions, and live with it.

    Finally, if the shit hits the fan and anyone points fingers at you, refer them to that email. If they fire you for it, that's when you become a troublemaker.

  • Re:EASY (Score:5, Insightful)

    by Penguinisto (415985) on Wednesday December 04, 2013 @05:20PM (#45600885) Journal

    All that, and it wouldn't hurt to print off copies of those emails (and his responses!) and take those home for personal storage. That way, if poop-meets-fan and they suddenly perp-walk you out (before you have a chance to reach for your backups or suchlike) you still have usable documentation - this is in case any governmental authorities get involved, a lawsuit springs from it, etc..

    Printing also gives you the advantage of having backups that you can walk out of the building with and not set off any alarms, since many tightly-regulated companies lock down the use of USB sticks, external hard disks, and etc. (my last employer -- a web-banking software house-- would literally fire you on the spot if you got caught using a geek stick or external drive on their desk/laptop equipment or servers - at least if you do it w/o prior written manager authorization and only on authorized devices.)

    To top that off, the printed copies are protection against an 'oops - our retention is only set to two weeks and the backups were corrupted somehow; sorry, sucker!' move. F500 firms generally blow away anything in the inbox that's more than a couple of weeks old anyway, so if you forget to archive it off to a .pst or another folder, it's usually gone by week 3, with no recourse.

    Meanwhile, it wouldn't hurt to have a bit of a side conversation with someone in legal (for a start), then escalate it to formal conversations with them via email (again, print those suckers off) should nothing get resolved.

  • Re:EASY (Score:5, Insightful)

    by Jeremiah Cornelius (137) on Wednesday December 04, 2013 @05:22PM (#45600927) Homepage Journal

    Find another job.

    These are not the only problems, just the ones you have seen.

  • Re:EASY (Score:4, Insightful)

    by sneakyimp (1161443) on Wednesday December 04, 2013 @05:22PM (#45600929)
    Yes it's definitely a good idea to cover one's ass, but curing a problem is a lot harder than preventing one. If it were me, I would go get the access logs (like SSH logs and apache logs) and point out all of the bruce hack attempts that are likely to be in there. E.g., brute forced ssh login attempts, SQL injection attempts, etc. I would then say to boss-man: "THESE ARE HACK ATTEMPTS and they will ultimately succeed and I want to fix them. If you don't let me fix them, you will have to take the blame." I do think that it is reasonable to draw attention to security problems even if it does step on some toes. Putting marketing folks in charge of code development is particularly infuriating to me as a developer. Rat those hacks out. As for your boss, I'd give her/him a few chances to fix and then go around. I believe it was Gen. George S. Patton that claimed he would always shift his loyalties to whoever was highest up the food chain once he made contact with them. It's a bit cutthroat, but sometimes called for if someone is doing the wrong thing.
  • Re:Don't ask /. (Score:5, Insightful)

    by paavo512 (2866903) on Wednesday December 04, 2013 @05:26PM (#45601033)

    At this point, I would do nothing. If they aren't hacked within a week after you posting this article then the security vulnerabilities don't really matter.

    Maybe this was the strategy of OP? In that case, brilliant!

  • by Anonymous Coward on Wednesday December 04, 2013 @05:28PM (#45601063)

    A fortune 500 company that deals with any area that has Federal compliance laws like COPPA, HIPPA, etc should have a compliance officer. They would be the person to contact for issues like this and contacting them should address all your issues.

    1) It gives a paper trail showing you raised the issue and should prevent you from being the scape goat when something happens.

    2) It should give you someone who understands the relative compliance laws and the risks associated with not complying.

    3) The compliance officer should then have the juice to get something done if they determine this is a legitimate issue. If they determine it isn't an issue then their neck is on the line not yours.

  • Re:Da fuq? (Score:5, Insightful)

    by tsa (15680) on Wednesday December 04, 2013 @05:29PM (#45601113) Homepage

    He knows what his problem is. Why is your comment rated insightful?

  • by Goonie (8651) <robert@merkel.benambra@org> on Wednesday December 04, 2013 @05:30PM (#45601121) Homepage
    While trade/labor unions are much maligned in the often libertarian-leaning IT community, this is the kind of situation where a bit of organization amongst colleagues - along the lines of what engineers or medical professionals have, would actually be useful.

    But given that we have the IT professional community that we have:

    • Document that you've told your boss, and probably your boss's boss, and probably the legal department (perhaps informally and verbally initially). If you've told them, it's their problem, not yours
    • Start polishing your resume. Whistleblowing usually has negative consequences for the whistleblower - and, furthermore, continuing to work for an organization which has such a lax attitude to software poses a risk to your career if you stay there.

    Incidentally, your case neatly demonstrates the near-uselessness of the IEEE-ACM Software Engineering Code of Ethics [computer.org], which is very long on what the ethical obligations of a software engineer are, but has nothing useful to say about what you should do where others are ordering you to act unethically.

  • Re:B'OH! (Score:4, Insightful)

    by geminidomino (614729) on Wednesday December 04, 2013 @05:52PM (#45601489) Journal

    He said CC and he meant it. Part of the logic (he even said it explicitly) is that the boss sees "Oh crap, now all these other people in the company know what's going on, and will be watching to see what I do about it."

  • Re:EASY (Score:4, Insightful)

    by Bogtha (906264) on Wednesday December 04, 2013 @06:03PM (#45601657)

    Meanwhile, it wouldn't hurt to have a bit of a side conversation with someone in legal (for a start), then escalate it to formal conversations with them via email (again, print those suckers off) should nothing get resolved.

    You don't have to approach them as if you are blowing the whistle on your boss. Just tell them you are concerned about your personal liability should you get caught breaking the law.

  • Re:EASY (Score:5, Insightful)

    by Nefarious Wheel (628136) on Wednesday December 04, 2013 @06:03PM (#45601679) Journal

    Marketing is driving the software?
    They don't care about security?
    System administration is outsourced?

    Quit. Leave now. Take only your jacket. Your adrenals will thank you later.

  • Re:EASY (Score:5, Insightful)

    by TheCarp (96830) <[ten.tenaprac] [ta] [cjs]> on Wednesday December 04, 2013 @06:03PM (#45601681) Homepage

    Potentially good advice, potentially bad.

    I work at a large company where this wouldn't fly for one reason: We have a security policy that specifically forbids it. Under the security policy, we have specific guidance for who must be told and, very specifically, that it should not be discussed or divulged beyond that.

    So check the policies first, because, just sending a message out to a large group of people may get you in hot water itself for violating policy.

    oh and.... fuck that shit entirely, get yourself back on the market, if you have to hammer them to get them to take real security issues seriously, its not worth it.

  • Re:EASY (Score:3, Insightful)

    by Anonymous Coward on Wednesday December 04, 2013 @06:46PM (#45602349)

    So, how were things at MtGox?

  • by epe (851815) on Wednesday December 04, 2013 @07:00PM (#45602521)

    Leave, ASAP.. quit:
    it is a problem of ethics.. don't work in an environement that does not adjust to your ethics. That's it.

  • Re:B'OH! (Score:5, Insightful)

    by TapeCutter (624760) on Wednesday December 04, 2013 @07:01PM (#45602547) Journal
    This isn't a Dr. Evil plot, the boss isn't hiding anything from anyone, the boss simply believes other things are more important than a secure web site. "Web sites are cheap but a secure one is expensive" - is probably closer to the level of thought running through the boss' head. Programmers are not automatically "right" every time the say something needs doing. The boss in TFA probably sees the programmer as a loyal employee who's concerned about the quality of his work but is blowing the problem out of proportion.

    It's a hard life lesson for geeks to learn that "correct" is not sufficient evidence to convince others to follow your lead in the real world. Of course you should cover your arse, but if that is your only motivation then your no better than the DR. Evil you describe in your post. If you turn the issue into a battle of wills, or a gotcha moment, then you will more than likely lose the argument and it will become more difficult to raise the subject in the future. Nobody benefits from that, least of all the programmer.

    OTOH arseholes do exist and if you have one as a boss in a small to medium sized business there is little you can do about it other than to walk out. Don't think of it as quitting, think of it as sacking the boss.

    Disclaimer: Developer with 20+yrs experience, computers are easy, people are difficult.
  • by raymorris (2726007) on Wednesday December 04, 2013 @07:13PM (#45602691)

    I would extend that to say don't ever tell the boss what they need to do in a way that implies they don't know how to do their own job. That can be tricky if you are recommending that they reverse their own decision. Don't "act like you're smarter than the boss".

    What has worked for me and people working for me is to bring facts along with a "from a programmer's perspective this option looks attractive" recommendation. Change "programmer's perspective" to whatever is appropriate. For many years I did IT security. CxOs would sometimes ask "should we do this" or "what should we do". I try to remember to answer "that's a business decision that's up to you, but FROM A SECURITY PERSPECTIVE ...".

    The idea is to recognize and explicitly state that you are looking at it from a specialist's perspective, focusing mostly on one aspect of it. What you don't know, but the boss may know, as if they are planning on scrapping the entire project next month anyway. I can't tell the boss that we should upgrade X, because as far as I know the entire division that uses X may be getting laid off tomorrow. What I can tell the boss that that an upgrade to X would provide benefits Y and Z, at a cost of A.

  • Re:EASY (Score:5, Insightful)

    by Grishnakh (216268) on Wednesday December 04, 2013 @08:42PM (#45603573)

    No, don't leave. Find a new job, get an offer, accept it, then leave.

    It's extremely unlikely they're going to get into any criminal legal trouble in that time, and even if they do, it won't be traced to you. Get out and just find a new job. Don't try to be a hero: America hates whistleblowers, and there are zero protections for them here. If you reveal the problems, you'll never get a job again, because you'll be seen as a liability. Anyone who's ever blown the whistle on anything will tell you this. It just isn't worth it. The only way to blow the whistle is to do it anonymously somehow, so it doesn't taint you with a reputation as a "rat fink".

All this wheeling and dealing around, why, it isn't for money, it's for fun. Money's just the way we keep score. -- Henry Tyroon

Working...