Forgot your password?
typodupeerror
Security Software

Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do? 310

Posted by Soulskill
from the red-alert dept.
An anonymous reader writes "I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids. This year we migrated to a new technology platform including server hosting and application framework. I was brought in towards the end of the migration and overall it's been a smooth transition from the users' perspective. However it's a security nightmare for sysadmins (which is all outsourced) and a ripe target for any hacker with minimal skills. We do weekly and oftentimes daily releases that contain and build upon the same security vulnerabilities. Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department. I inform my direct manager and colleagues about security issues before they are deployed and the response is always, 'we need to meet deadlines, we can fix security issues at a later point.' I'm at a loss at what I should do. Should I go over my manager's head and inform her boss? Approach legal and tell them about our many violations of COPPA? Should I refuse to deploy code until these issues are fixed? Should I look for a new job? What would you do in my situation?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do?

Comments Filter:
  • EASY (Score:5, Insightful)

    by houbou (1097327) on Wednesday December 04, 2013 @05:08PM (#45600633) Journal
    Document your correspondences to your boss when you notify vital security issues. Make sure your e-mails are not only backed-up, but you get read receipts or something showing your boss opened the e-mail (and might have read it). Keep those receipts archived. When poop hits the fan, at least, you are protected.
    • Re:EASY (Score:5, Insightful)

      by Penguinisto (415985) on Wednesday December 04, 2013 @05:20PM (#45600885) Journal

      All that, and it wouldn't hurt to print off copies of those emails (and his responses!) and take those home for personal storage. That way, if poop-meets-fan and they suddenly perp-walk you out (before you have a chance to reach for your backups or suchlike) you still have usable documentation - this is in case any governmental authorities get involved, a lawsuit springs from it, etc..

      Printing also gives you the advantage of having backups that you can walk out of the building with and not set off any alarms, since many tightly-regulated companies lock down the use of USB sticks, external hard disks, and etc. (my last employer -- a web-banking software house-- would literally fire you on the spot if you got caught using a geek stick or external drive on their desk/laptop equipment or servers - at least if you do it w/o prior written manager authorization and only on authorized devices.)

      To top that off, the printed copies are protection against an 'oops - our retention is only set to two weeks and the backups were corrupted somehow; sorry, sucker!' move. F500 firms generally blow away anything in the inbox that's more than a couple of weeks old anyway, so if you forget to archive it off to a .pst or another folder, it's usually gone by week 3, with no recourse.

      Meanwhile, it wouldn't hurt to have a bit of a side conversation with someone in legal (for a start), then escalate it to formal conversations with them via email (again, print those suckers off) should nothing get resolved.

      • Re:EASY (Score:5, Informative)

        by Garridan (597129) on Wednesday December 04, 2013 @05:24PM (#45600957)

        Cover your ass BEFORE you talk to somebody in legal. The legal department is there to protect the company and NOT its employees. A good legal dept will say "hey, this employee is trying to reduce our liability" -- but a bad one will say "this employee is a liability" and shoot the messenger.

        • Agreed. Always line up the ducks before you go shooting.

          • Re:EASY (Score:5, Insightful)

            by Nefarious Wheel (628136) on Wednesday December 04, 2013 @06:03PM (#45601679) Journal

            Marketing is driving the software?
            They don't care about security?
            System administration is outsourced?

            Quit. Leave now. Take only your jacket. Your adrenals will thank you later.

      • If you're needing paper backups to CYA for a perp-walk, you can probably find better pay and benefits in a less stressful job at another company.

      • Re:EASY (Score:4, Insightful)

        by Bogtha (906264) on Wednesday December 04, 2013 @06:03PM (#45601657)

        Meanwhile, it wouldn't hurt to have a bit of a side conversation with someone in legal (for a start), then escalate it to formal conversations with them via email (again, print those suckers off) should nothing get resolved.

        You don't have to approach them as if you are blowing the whistle on your boss. Just tell them you are concerned about your personal liability should you get caught breaking the law.

      • by styrotech (136124)

        Printing also gives you the advantage of having backups that you can walk out of the building with and not set off any alarms, since many tightly-regulated companies lock down the use of USB sticks, external hard disks, and etc. (my last employer -- a web-banking software house-- would literally fire you on the spot if you got caught using a geek stick or external drive on their desk/laptop equipment or servers - at least if you do it w/o prior written manager authorization and only on authorized devices.)

        I

    • Re:EASY (Score:5, Interesting)

      by MillerHighLife21 (876240) on Wednesday December 04, 2013 @05:22PM (#45600921) Homepage

      This. My last job was at an after market buy/sell/trade website where I got to take over the whole project mid-rebuild after the previous staff walked out/botched the job/etc. The user base was under constant attack from phishing, fraud, scams doing literally everything you could imagine including hacking accounts. The users complained about it constantly, people were losing trust in the site.

      The owners only concerns were that I add new functionality. One of them wanted me to build a blog in the midst of all this. Also were totally willing to sell user information to ad companies if it meant better ad deals.

      The core of the entire business was the part that was under attack. Being the only programmer there and realizing that there would not be a job left to complain about if I didn't do what needed to be done, I finally just started doing everything once all attempts at communicating the level of importance had failed. Built and integrated security features that had been present in the previous platform. Developed anti-phishing tools. Added intrusion detection for accounts. Built my own anti-spam system. By the time I was done with it, user complaints had nearly stopped and people were significantly more comfortable. Trading went back up. Crisis was over.

      Owners didn't think I was working hard enough.

      In the end I collected enough numbers to measurably illustrate the impact that my work had on the company, so I resigned with an awesome resume addition in hand that promptly landed me a muuuuuuuch better job with a better company.

      Moral of the story: Do your due diligence. Try to communicate the importance. If you can provide numbers that put things in perspective for somebody more business minded - do it. At the end of the day though, owners who don't understand probably won't care. In this particular situation, if I didn't take the action that I did the company would have gone under. Others may be different though, so you need to be able to measure the cost of a breach in financial terms because that is the ONLY thing the owners will care about.

      Outside of that, C.Y.A.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        So, how were things at MtGox?

    • Re:EASY (Score:5, Insightful)

      by Jeremiah Cornelius (137) on Wednesday December 04, 2013 @05:22PM (#45600927) Homepage Journal

      Find another job.

      These are not the only problems, just the ones you have seen.

      • by tsa (15680)

        Indeed. However good you document the lack of progress and the disinterest of the managers, when something happens it will be your fault and you will have a shitload of problems. Leave ASAP.

        • Re:EASY (Score:4, Interesting)

          by asliarun (636603) on Wednesday December 04, 2013 @06:03PM (#45601659)

          Indeed. However good you document the lack of progress and the disinterest of the managers, when something happens it will be your fault and you will have a shitload of problems. Leave ASAP.

          Yes, agree 100%. Leave ASAP.

          The other way to think about this is - any organization is only as good as your boss. If she or he is is veritable shite, the organization is as well. You are not only wasting your time, you are doing the equivalent of hanging out with a bunch of dicey "friends" who might go do something illegal when they are tanked up.

          • Re:EASY (Score:5, Insightful)

            by Grishnakh (216268) on Wednesday December 04, 2013 @08:42PM (#45603573)

            No, don't leave. Find a new job, get an offer, accept it, then leave.

            It's extremely unlikely they're going to get into any criminal legal trouble in that time, and even if they do, it won't be traced to you. Get out and just find a new job. Don't try to be a hero: America hates whistleblowers, and there are zero protections for them here. If you reveal the problems, you'll never get a job again, because you'll be seen as a liability. Anyone who's ever blown the whistle on anything will tell you this. It just isn't worth it. The only way to blow the whistle is to do it anonymously somehow, so it doesn't taint you with a reputation as a "rat fink".

      • by DogDude (805747)
        Why find another job? That doesn't make any sense.
      • Re: (Score:3, Interesting)

        by Darinbob (1142669)

        Why? If the pay is good just keep at it. An employee never needs to become emotionally invested in the company. It's perfectly acceptable to go home every day and complain that the job sucks and everyone there is an idiot. A company that has problems means that there will be a lot of work coming down the pipeline to keep you employed.

        It is hubris to leave a job because of management problems at the company that don't affect the actual job, because no one is that important and there are no perfectly maan

    • Re:EASY (Score:4, Insightful)

      by sneakyimp (1161443) on Wednesday December 04, 2013 @05:22PM (#45600929)
      Yes it's definitely a good idea to cover one's ass, but curing a problem is a lot harder than preventing one. If it were me, I would go get the access logs (like SSH logs and apache logs) and point out all of the bruce hack attempts that are likely to be in there. E.g., brute forced ssh login attempts, SQL injection attempts, etc. I would then say to boss-man: "THESE ARE HACK ATTEMPTS and they will ultimately succeed and I want to fix them. If you don't let me fix them, you will have to take the blame." I do think that it is reasonable to draw attention to security problems even if it does step on some toes. Putting marketing folks in charge of code development is particularly infuriating to me as a developer. Rat those hacks out. As for your boss, I'd give her/him a few chances to fix and then go around. I believe it was Gen. George S. Patton that claimed he would always shift his loyalties to whoever was highest up the food chain once he made contact with them. It's a bit cutthroat, but sometimes called for if someone is doing the wrong thing.
      • Re:EASY (Score:5, Informative)

        by MugenEJ8 (1788490) on Wednesday December 04, 2013 @06:28PM (#45602061)

        If you don't let me fix them, you will have to take the blame.

        Word to the wise. Don't ever tell your boss what they need to do. I've been in the work force for over fifteen years, and this holds true for small business all the way up to large enterprise.

        Best case, you've aggravated them and they will retaliate somehow. Worst case, you've aggravated them and they will retaliate somehow.

        • I would imagine a good boss would appreciate a heads up. On the other hand, I'm self employed and have been for more than fifteen years.
        • by raymorris (2726007) on Wednesday December 04, 2013 @07:13PM (#45602691)

          I would extend that to say don't ever tell the boss what they need to do in a way that implies they don't know how to do their own job. That can be tricky if you are recommending that they reverse their own decision. Don't "act like you're smarter than the boss".

          What has worked for me and people working for me is to bring facts along with a "from a programmer's perspective this option looks attractive" recommendation. Change "programmer's perspective" to whatever is appropriate. For many years I did IT security. CxOs would sometimes ask "should we do this" or "what should we do". I try to remember to answer "that's a business decision that's up to you, but FROM A SECURITY PERSPECTIVE ...".

          The idea is to recognize and explicitly state that you are looking at it from a specialist's perspective, focusing mostly on one aspect of it. What you don't know, but the boss may know, as if they are planning on scrapping the entire project next month anyway. I can't tell the boss that we should upgrade X, because as far as I know the entire division that uses X may be getting laid off tomorrow. What I can tell the boss that that an upgrade to X would provide benefits Y and Z, at a cost of A.

    • by Tablizer (95088)

      Good advice, but minor addition: CC a fair number of other people. If your boss claims "I never got the message", then you have evidence in other people's in-boxes that at least you made a good-faith attempt to notify your boss and that the email system worked for everybody else.

      Further, CC'ing others tends to make people more aware of a concern because they have to also consider how others are going to view the suggestions. Thus, it's a form of psychology.

      Final advice: look for another job. Stubborn fools

      • Re:EASY (Score:5, Insightful)

        by TheCarp (96830) <sjc&carpanet,net> on Wednesday December 04, 2013 @06:03PM (#45601681) Homepage

        Potentially good advice, potentially bad.

        I work at a large company where this wouldn't fly for one reason: We have a security policy that specifically forbids it. Under the security policy, we have specific guidance for who must be told and, very specifically, that it should not be discussed or divulged beyond that.

        So check the policies first, because, just sending a message out to a large group of people may get you in hot water itself for violating policy.

        oh and.... fuck that shit entirely, get yourself back on the market, if you have to hammer them to get them to take real security issues seriously, its not worth it.

        • if you have to hammer them to get them to take real security issues seriously, its not worth it.

          If you can convince them then it is definitely worth it since you will have helped secure the jobs of everyone else at the company. The difficult question is at what point does the boss' disinterest in network security become a threat to everyone's job?

          Having said that, the most reliable sign that the situation is not going to change is if your boss treats you like a personal assistant rather than a professional advisor.

    • by cdrudge (68377)

      Document your correspondences to your boss when you notify vital security issues. Make sure your e-mails are not only backed-up, but you get read receipts or something showing your boss opened the e-mail (and might have read it). Keep those receipts archived. When poop hits the fan, at least, you are protected.

      I'd print them out. That way when you stand in the unemployment line, you'd have something to burn to keep you warm on cold winter's days

      A print out may document it, but if the shit really does hit

    • Re:EASY (Score:5, Informative)

      by jonnyj (1011131) on Wednesday December 04, 2013 @05:31PM (#45601155)

      I agree, but I wouldn't be underhand and I certainly wouldn't use read receipts. That looks horribly like the very worst kind of arse covering.

      You shouldn't go over your boss's head. Juggling a large number of conflicting priorities is what managers are paid to do, and you won't do yourself or anyone else any favours by undermining your boss's judgement in that way. But you should also consider the risk that she consciously has her own best interests at heart rather than the business's interests. She might have the view that, in the event of a security debacle, she will pretend that the team messed up and failed to follow instructions, and simply ride out the storm. In the meantime, she looks efficient and appears to gets jobs done quickly with a minimum of fuss.

      Instead, you should sit down with her and clearly express your concerns. You should then follow up your meeting with a very clear email that summarises the conversation. You need to start with an assertive but non-hostile comment that leaves no-one in any doubt what has happened - something like this, "As we discussed earlier, these are the security issues where I believe that we are falling short of regulatory expectations..." Print out that email and take it home with you.

      At that point, your boss has three options. 1. She can fix things. 2. She can escalate up the food chain, so that someone bigger than her can decide whether poor security is really in the company's best interests. 3. At huge personal risk, she can quietly ignore you.

      Middle managers tend to have pretty strong survival instincts, so option 3 is very unlikely to to fly. Option 2 is pretty likely, and her manager might well say that security is too expensive/awkward/boring/inconvenient. If that happens, you're probably better off working some place else where you can be proud to turn up in the morning.

    • by roc97007 (608802)

      He asked what we would do. In the spirit of that, I would (and have, in a previous job) do what houbou says above, and then take everything to the appropriate higher authority. Considering that things are most probably going to go TU anyway, what do you have to lose? (This assumes you have a high degree of confidence that you understand the issue and your analysis is correct.)

      In my case, it caused an internal upheaval which resulted in some things getting fixed, but not enough, and when crap hit fan some

    • The short answer is to follow the hierarchy and document everything. Document that you told your boss – that’s CYA.

      Then go to your boss’s boss. Try that. Try to be constructive and offer solutions or at least avenues that should be pursued. Don’t offer specifics – that is somebody else job or a project in of itself. If you have to go negative, don’t tear down your boss, tear down the system.

      Next step is fuzzier. Maybe your boss’s boss’s boss. Maybe Legal. But

    • Re:EASY (Score:4, Interesting)

      by dave562 (969951) on Wednesday December 04, 2013 @07:17PM (#45602739) Journal

      This is the best advice. I will add a couple of things.

      DO NOT GO AROUND YOUR BOSS. That will get you fired. Raise the issues in email, document them and move on. It is ultimately your boss' responsibility, and the responsibility of people above your boss. Unless your title is CSO or something similar, this is not your problem.

      If you want to help your boss, do a risk assessment. Detail what you perceive to be the risks. Detail the potential problems of not doing anything. More importantly, detail what you think the potential solutions are, and what is involved in implementing them. This is important because you want to be constructive, and want to prove that you have put some thought into making things better, and that you are not just a whiner.

      Your success or failure will depend on how you present it. The tack I would take with your boss would be something along the lines of, "Security is obviously not a high priority around here. However, I have recognized these risks that expose the company to potential liabilities under COPPA. Here are my suggestions. Now that I have documented these, I can stop thinking about them and focus on the other priorities that our team has to address."

      Keep in mind, you are not going to make any friends doing this. Once it is in email, they have to act on it. To not act on it makes them liable. Keep in mind, it is not your job to do your boss' job. Unless your job description specifically says, "Mitigate security vulnerabilities in code before deploying to production.", this is not your job. Your job is to do what your boss tells you to do, just as her job is to do what her boss tells her to do, all the way up the chain to the C-level executives and board of directors.

  • Explain the possibility of liability. Let them investigate the risks. Problem will then resolve itself from the top down.

    • Where I work, at an ISP, the "meat space" buildings are all uninsured, however the datacentres & headends are. i.e. it's cheaper to compensate bereaved relatives than the increase in insurance premiums required to provide the cover.
  • by OzPeter (195038) on Wednesday December 04, 2013 @05:12PM (#45600709)

    And I guarantee that all your problems will be solved very quickly by the dedicate volunteers who visit this site.

    But you may need to brush up your resume first.

    • by Drethon (1445051)
      That use of dedicated and volunteers is 100% accurate given they are both but "dedicated colunteers" and the same people... I think amused best describes my thoughts.
    • Or to put it another way, nothing will get fixed as long as the software architect is as gutless as his management and just posts as an anonymous coward and helps conceal the problem. Sure, you don't have to commit carer suicide by saying "I'm the guy in the third office on the east wall and I've been reporting all of these problems to Bob but he just lets them slide, here's how to hack our toys", but you could put minimal effort into letting the problems slip out and help the public become aware of them. T
    • by lakeland (218447)

      The submitted did.

      A Fortune 500 company for anyone with kids. That list is about 20 long - it would be very easy to work it out from the submission if you were that way inclined.

  • by Chemisor (97276) on Wednesday December 04, 2013 @05:13PM (#45600731)

    There are some newly unemployed hackers in Elbonia, made deaf and blind by viewing Wally's browsing history. Be a good sport and hire a few of them to break into your website. They are cheap and, being deaf and blind, would not be able to actually see anything useful for identity theft, but will sure be able to get your boss to see the light.

  • Have a written copy (email) of your exchanges with the boss. Advise him/her of the security risk and what consequences could occur if the software were compromised. If there's no response on the matter forward the communication to the legal department.
  • Don't ask /. (Score:5, Interesting)

    by Dishwasha (125561) on Wednesday December 04, 2013 @05:17PM (#45600813)

    I'd start by not advertising to a large public forum containing a lot of people with security exploit experience and motive about your companies web security vulnerabilities where your synopsis easily reduces the attack vector to significantly less than 500 potential targets. How many fortune 500 companies exist that target kids, let alone ones that have a female web software development manager? Also, it should be fairly easy for somebody in the industry to discover which fortune 500 kid targeted companies outsource their system administration.

    At this point, I would do nothing. If they aren't hacked within a week after you posting this article then the security vulnerabilities don't really matter.

  • Paper trail (Score:5, Insightful)

    by bugnuts (94678) on Wednesday December 04, 2013 @05:18PM (#45600827) Journal

    Plain and simple, keep your old emails, offline. If you get cornered for a conversation in person or phone, no problem... just dash off an email stating "You know how you were telling me at lunch not to worry about the security vulns? This still really bothers me. There's got to be a way to mitigate it without affecting deadlines. Imagine the missed deadlines if we lose our infrastructure to an easy hack."

    Don't sound like a troublemaker, but rather, a concerned worker.

    Make it clear you're the professional, and in your professional opinion and that of industry standards, security is sorely lacking. Itemize the issues you have in an email. Keep that email.

    Support their decisions, and live with it.

    Finally, if the shit hits the fan and anyone points fingers at you, refer them to that email. If they fire you for it, that's when you become a troublemaker.

  • Cover your own arse. Document that you were the one reporting the problems and violations. You may lose your job anyway. Prepare for alternative employment. This is always easier while you are still employed. Once you have a reasonable plan for alternative employment you can start making demands. You may either be the hero, or you may end up in the other job.

  • To me it is all based on what your own conscious demands. I spent years battling with my employers about their testing methods (the solution to the program crashing is the user should never enter that combination of values... yet you aren't going to prevent them from doing just that?) and got nowhere. At this point I put in my 40 a week, document the rejection of my recommendations (e-mail archives are your friend) and take pride in what I do outside of work.

    If your conscious wont allow for that... ask
    • by rossz (67331)

      I had a similar experience many years ago. The very first test I did with every build was press both hands on a bunch of keys. It almost always locked the system up completely. So I'd reject it. The lead programmer (who as an idiot) kept saying, "don't do that." My response was, "that's a cat jumping on the keyboard, or a tired person accidentally leaning on the keyboard. It's something that will happen. And when it does, it locks the system so tight you have to do a hard reboot." BTW, this was back

  • It's his responsibility to protect the company from idiots. Alternatively speak to the auditors, who also have a duty to report concerns. But on the whole you are probably screwed; whistle blowers tend to be shot on principle even if they have done the right thing - a new job is probably the best solution.
  • Outsourcing (Score:4, Funny)

    by K. S. Kyosuke (729550) on Wednesday December 04, 2013 @05:21PM (#45600907)

    However it's a security nightmare for sysadmins (which is all outsourced)

    So it is the security nightmare that is outsourced? Finally someone got outsourcing right.

  • Can you get budget to hire a security penetration tester? There are companies which will do penetration testing and then give you a report documenting all of the vulnerabilities they found. With that in hand you have a much stronger case to convince management to fix the problem because now it is a highly qualified security expert that has documented explicit problems.

  • So let's say it gets hacked. Are we talking minor embarrassment, or serious privacy violations? All big companies patch stuff all the time, after they deploy. Adobe probably has a big list of things that need fixing when they get around to it, which maybe explains why there are constantly updates.

  • Integrity Hotline (Score:5, Interesting)

    by MNNorske (2651341) on Wednesday December 04, 2013 @05:24PM (#45600959)
    If you're working for a Fortune 500 company there likely will be some form of internal integrity hotline. I know my own corporation has one. Document your concerns and contact them. I recently had to report a concern raised about one of the major offshore contractors we use to our integrity hotline and it was actually a very good experience from my side. After submitting the issue it took a few days but an investigator from our legal department contacted me and we had a phone conversation, and then I forwarded him some additional details I had held back from the initial correspondence. I did that mostly to protect an individual from the contractor who brought the concerns to my attention.

    I would make sure that the correspondence you send to your legal department includes copies of some of the email chains you have with your managers, peers, etc... raising the concerns. Be sure to specify any regulations you suspect are being violated. If the legal team determines there is concern you can bet that change will happen. If they determine otherwise, then you've done your due diligence and reported it within the means your company gives for you to report it.
  • what's the worst thing that can happen if the site is hacked? any CC info? how much money will be lost

    not every site and data should be treated like fort knox. keep your emails for CYA purposes and keep doing what you are doing

    • by sconeu (64226)

      Jail is the worst that can happen. Remember, he said "COPPA". That's a federal law regulating how websites deal with children.

  • I wrote a memo laying out all the issues in layman's terms and proposing solutions. Then I gave it to my boss. A little while later with no further movement on the problem, I quit.

    A year passed and the system was hacked. Publicly. Embarrassingly. Folks here on Slashdot asked what the sysadmins could possibly have been thinking. So, I published a copy of the memo I had written.

    Your mileage may vary.

  • by Anonymous Coward on Wednesday December 04, 2013 @05:28PM (#45601063)

    A fortune 500 company that deals with any area that has Federal compliance laws like COPPA, HIPPA, etc should have a compliance officer. They would be the person to contact for issues like this and contacting them should address all your issues.

    1) It gives a paper trail showing you raised the issue and should prevent you from being the scape goat when something happens.

    2) It should give you someone who understands the relative compliance laws and the risks associated with not complying.

    3) The compliance officer should then have the juice to get something done if they determine this is a legitimate issue. If they determine it isn't an issue then their neck is on the line not yours.

  • by Anonymous Coward on Wednesday December 04, 2013 @05:28PM (#45601075)

    This happened to me when I was contracting for the USDA. Developers were pulling SQL statements in url strings. No... I'm not kidding. Literally "SELECT * FROM .

    1) keep a copy of every email you sent.
    2) evaluate the situation from an objective point of view. Should security be breached... what would be the possible fallout?

    If personal information loss is part of this, immediately take your concerns to your legal team. In my case, I was told by several individuals it was not a problem and it was safe followed by my supervisor who told me it would be fine. I was okay with it until I realized I could pull anyone private information this way including social security numbers.

    The legal team was very easy to work with. We had to self report 56 violations and my supervisor and two developers were terminated.

  • He's of the opinion that you give your opinion once. If they choose not to listen to you well fuck them. (Admittedly my uncle is very smart, has an ivy league degree. Anybody that ignores his advice is royal fucked.) I'm guessing the best thing to do is start looking for a new job because some how I doubt they'll suddenly get smart. (They'll probably just manage the company into the ground and then blame you for it.)
  • by Goonie (8651) <robert.merkel@TI ... ra.org minus cat> on Wednesday December 04, 2013 @05:30PM (#45601121) Homepage
    While trade/labor unions are much maligned in the often libertarian-leaning IT community, this is the kind of situation where a bit of organization amongst colleagues - along the lines of what engineers or medical professionals have, would actually be useful.

    But given that we have the IT professional community that we have:

    • Document that you've told your boss, and probably your boss's boss, and probably the legal department (perhaps informally and verbally initially). If you've told them, it's their problem, not yours
    • Start polishing your resume. Whistleblowing usually has negative consequences for the whistleblower - and, furthermore, continuing to work for an organization which has such a lax attitude to software poses a risk to your career if you stay there.

    Incidentally, your case neatly demonstrates the near-uselessness of the IEEE-ACM Software Engineering Code of Ethics [computer.org], which is very long on what the ethical obligations of a software engineer are, but has nothing useful to say about what you should do where others are ordering you to act unethically.

  • Sure send your notification emails and cya.. once that's done it's more a game of wait for the overtime, because when, and I mean when, it goes down it will be like Oprah came by with.. And overtime for you, and for you, and for you.. overtime for everyone until we fix this!!
  • Step by step, so a non-technical type can understand just what the issue is. "Security" for some folks is a vague amorphous issue with no real consequence. I've been stunned by some of the malware and lack of security I've seen on people's computers. They don't "get it." They don't understand the risk and the damage.

    Help your boss "get it" if that's the issue. Explain the consequences of a breach, and the damage to the brand. Show with other examples in the media.

    My $0.02.

  • Document, do nothing (Score:4, Informative)

    by onyxruby (118189) <{onyxruby} {at} {comcast.net}> on Wednesday December 04, 2013 @05:33PM (#45601203)

    Document the issues so that it is clear you are aware and tried to do something about them. Bring them up verbally to your boss - without being obnoxious about it. Once you've done those than you need to the hardest thing of all which is to let it go. If you make too big of a deal about it you will be seen as a troublemaker. If you do nothing you will be seen as complicit or incompetent if there is a violation.

    Now in certain industries you may have requirements (possibly enforced by law) that require you do to more. Most of the time that isn't the case and you have to let it go and move on with other things. Often times disasters are the only way that people higher up the food chain can and will learn.

    I recall when Nimda was making it's rounds in 2000. I was aware of the worm, had the patches downloaded, instructions printed and had requested permission to patch servers. Permission was denied. I asked again, it was denied again. I had awareness of the issue, my statement of the severity and denial all in writing.

    I watched a fortune 25 company go down for 2 days and lose $100 million dollars and countless workers get sent home when their facilities were rendered useless. As a result an inflexible policy was changed and any number of people were fired or disciplined. Because I had documented everything I was just about the one person nobody faulted.

  • Your company is Sony?
  • If it's dealing with children and you are that concerned and management has done nothing to change it, blow the whistle on them.
  • You should include the business owner on your emails to your boss outlining what is wrong AND how to fix the problem. Include in the what is wrong part, why the app is vulnerable.

    Since you state that you came into the migration towards the end of the process, state that you are just now understanding that these issues even exist.

  • Difficult to imagine the powers that be caring much about application security if they're willing to outsource sysadmin duties. And yes, I know that's common. But that doesn't make it sensible from a risk management viewpoint.
  • So you've got a vulnerable web app that can't be fixed with new vulnerabilities being introduced all the time.

    That's what web application firewalls are designed for. Installing one takes less schedule time than doing things right would take, and it might work better than nothing.

    Though of course this is not a technical problem, it's easier to paper over a people problem with a technical patch than it is to fix people.

  • Document the problems, report them up your chain appropriately and thoroughly, backup that documentation to personal storage resources to CYA and get out of there before the inevitable implosion happens. The management shakeup that will occur during and after the implosion will sweep away people regardless of who was aware of it and reporting it properly. The CYA is in case there are legal repercussions which draw you in,
  • Probably the task furthest from experience as an engineer/architect, but when it's not enough to tell them (boss, executives, legal) that it's a "potentially bad thing," also include some dollar figures.

    As a tangent, you should also always have the right to contact Legal without supervision. In this case, you could even tell that person in the legal department you're doing a risk-impact report (without lying) and need an estimate for how much it would cost for the company to legally defend or settle a class

    • That's getting close. Talk to your auditors too. Let them figure out what the liability is, and they'll persuade the board to take action. Meanwhile, get your incident response plan ready. Once the intrusions start, you'll have a lot of people breathing down your neck looking to know how to respond.
      Insert obligatory "Think of the children!!!!" where needed.
  • Surely there's a infosec or security group at your company. Let them know. Otherwise, fire a note to your boss and cc'd your second level manager.

    Don't have the email be one where you are blaming your boss, but if the security issues are beyond your manager's command and control span, then it's probably under your next level manager/director. Something as simple as "I've noticed some odd security practices taking place within the application... what group is responsible for setting the methodology...?"

    So

  • Sell that shit.

    Also, FUCKING Name Names.

  • by walmass (67905) on Wednesday December 04, 2013 @07:46PM (#45603041)
    Fortune 500? Publicly traded company?

    Then there is an code of ethics violation reporting mechanism. Contact them, contact internal audit, or contact corporate legal.

    Reporting to the code of ethics violation provides you the strongest protection, because there is a stated policy that you cannot be retaliated against (still no guarantee that you will not be, just that it will help you in the subsequent multi-million dollar lawsuit you can bring). Make sure you mention the violation of COPPA and ask THEM to contact corp legal.

    Also understand that you will not be seen as a hero. You will be branded as a troublemaker, so better be ready to switch jobs.

    (Yes, I have been in a very similar position)

    PS: I see some advice about documenting your interaction with the manager for the time when the shit hits the fan. Trust me, will not help you a whit if it came to that.
  • I had basically the same situation at my last job. I fought it for years, talk about 'working on your nerves'. Anyway, I finally quit. After that they got some other guy to take my position, and he quit 3 weeks later. They eventually had to restructure the company, but did so in a way to keep the stupidity that caused us to quit. They're a failing company now, and I've moved on. Now I'm self-employed and am able to pay my bills. Aside from being able to sustain my life with money, I'm also able to su
  • Lots of what other people have said is good.

    Approach legal and tell them about our many violations of COPPA?

    Ask legal what framework you should be working under, and what laws and compliance are going to be required as part of doing your job. You aren't really sure what your personal obligations are in this regard, because you understand that there are regulations but you aren't sure who is responsible for implementing what exactly, and you've gotten conflicting or confused responses from your superiors.

  • by jonwil (467024) on Wednesday December 04, 2013 @09:25PM (#45603867)

    Assuming the website really violates COPPA, Google "COPPA violations" and grab some links to articles showing where the FTC sued over such violations and got big settlements. Then email those links to the boss (keeping copies of all this as others have suggested) and say something like "these guys got sued by the FTC and had to pay some big $, do you want to see our company get sued?"

    If the boss takes an "I dont care" attitude or ignores the emails, go to the legal department or compliance officers with the same thing and say "I pushed this to my superiors and they chose to ignore it, I dont want to see our company held liable by the FTC, what should I do about it?"

    If that doesn't work, consider packing up and leaving. Any company where the legal department doesn't care that the company is violating such a law and is one tip-off away from an FTC investigation (which could be a PR nightmare especially for a site that targets kids specifically) isn't a good company to work for.

  • by TheGoodNamesWereGone (1844118) on Wednesday December 04, 2013 @09:41PM (#45603953)
    I'd leave Microsoft and get another job

The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it. -- E. Hubbard

Working...