Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do?

Soulskill posted about 8 months ago | from the red-alert dept.

Security 310

An anonymous reader writes "I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids. This year we migrated to a new technology platform including server hosting and application framework. I was brought in towards the end of the migration and overall it's been a smooth transition from the users' perspective. However it's a security nightmare for sysadmins (which is all outsourced) and a ripe target for any hacker with minimal skills. We do weekly and oftentimes daily releases that contain and build upon the same security vulnerabilities. Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department. I inform my direct manager and colleagues about security issues before they are deployed and the response is always, 'we need to meet deadlines, we can fix security issues at a later point.' I'm at a loss at what I should do. Should I go over my manager's head and inform her boss? Approach legal and tell them about our many violations of COPPA? Should I refuse to deploy code until these issues are fixed? Should I look for a new job? What would you do in my situation?"

cancel ×

310 comments

Sorry! There are no comments related to the filter you selected.

EASY (5, Insightful)

houbou (1097327) | about 8 months ago | (#45600633)

Document your correspondences to your boss when you notify vital security issues. Make sure your e-mails are not only backed-up, but you get read receipts or something showing your boss opened the e-mail (and might have read it). Keep those receipts archived. When poop hits the fan, at least, you are protected.

It won't be a problem until it's a problem... (1)

Anonymous Coward | about 8 months ago | (#45600763)

...then it will be your problem no matter how well you perform due diligence in this case. This is why I'm making it a rule that if I have to be responsible for making decisions, I want irebokable severance going forward so I can do the right thing by the stockholders without fear of retaliation due to butt-hurt bosses...

Re:It won't be a problem until it's a problem... (1, Funny)

Anonymous Coward | about 8 months ago | (#45601511)

irebokable severance

Severance that can't be...given Reebok shoes?

Re:EASY (5, Insightful)

Penguinisto (415985) | about 8 months ago | (#45600885)

All that, and it wouldn't hurt to print off copies of those emails (and his responses!) and take those home for personal storage. That way, if poop-meets-fan and they suddenly perp-walk you out (before you have a chance to reach for your backups or suchlike) you still have usable documentation - this is in case any governmental authorities get involved, a lawsuit springs from it, etc..

Printing also gives you the advantage of having backups that you can walk out of the building with and not set off any alarms, since many tightly-regulated companies lock down the use of USB sticks, external hard disks, and etc. (my last employer -- a web-banking software house-- would literally fire you on the spot if you got caught using a geek stick or external drive on their desk/laptop equipment or servers - at least if you do it w/o prior written manager authorization and only on authorized devices.)

To top that off, the printed copies are protection against an 'oops - our retention is only set to two weeks and the backups were corrupted somehow; sorry, sucker!' move. F500 firms generally blow away anything in the inbox that's more than a couple of weeks old anyway, so if you forget to archive it off to a .pst or another folder, it's usually gone by week 3, with no recourse.

Meanwhile, it wouldn't hurt to have a bit of a side conversation with someone in legal (for a start), then escalate it to formal conversations with them via email (again, print those suckers off) should nothing get resolved.

Re:EASY (5, Informative)

Garridan (597129) | about 8 months ago | (#45600957)

Cover your ass BEFORE you talk to somebody in legal. The legal department is there to protect the company and NOT its employees. A good legal dept will say "hey, this employee is trying to reduce our liability" -- but a bad one will say "this employee is a liability" and shoot the messenger.

Re:EASY (1)

Penguinisto (415985) | about 8 months ago | (#45601023)

Agreed. Always line up the ducks before you go shooting.

Re:EASY (1)

JoeMerchant (803320) | about 8 months ago | (#45601405)

If you're needing paper backups to CYA for a perp-walk, you can probably find better pay and benefits in a less stressful job at another company.

Re:EASY (5, Interesting)

MillerHighLife21 (876240) | about 8 months ago | (#45600921)

This. My last job was at an after market buy/sell/trade website where I got to take over the whole project mid-rebuild after the previous staff walked out/botched the job/etc. The user base was under constant attack from phishing, fraud, scams doing literally everything you could imagine including hacking accounts. The users complained about it constantly, people were losing trust in the site.

The owners only concerns were that I add new functionality. One of them wanted me to build a blog in the midst of all this. Also were totally willing to sell user information to ad companies if it meant better ad deals.

The core of the entire business was the part that was under attack. Being the only programmer there and realizing that there would not be a job left to complain about if I didn't do what needed to be done, I finally just started doing everything once all attempts at communicating the level of importance had failed. Built and integrated security features that had been present in the previous platform. Developed anti-phishing tools. Added intrusion detection for accounts. Built my own anti-spam system. By the time I was done with it, user complaints had nearly stopped and people were significantly more comfortable. Trading went back up. Crisis was over.

Owners didn't think I was working hard enough.

In the end I collected enough numbers to measurably illustrate the impact that my work had on the company, so I resigned with an awesome resume addition in hand that promptly landed me a muuuuuuuch better job with a better company.

Moral of the story: Do your due diligence. Try to communicate the importance. If you can provide numbers that put things in perspective for somebody more business minded - do it. At the end of the day though, owners who don't understand probably won't care. In this particular situation, if I didn't take the action that I did the company would have gone under. Others may be different though, so you need to be able to measure the cost of a breach in financial terms because that is the ONLY thing the owners will care about.

Outside of that, C.Y.A.

Re:EASY (5, Insightful)

Jeremiah Cornelius (137) | about 8 months ago | (#45600927)

Find another job.

These are not the only problems, just the ones you have seen.

Re:EASY (1)

tsa (15680) | about 8 months ago | (#45601039)

Indeed. However good you document the lack of progress and the disinterest of the managers, when something happens it will be your fault and you will have a shitload of problems. Leave ASAP.

Re:EASY (3, Insightful)

sneakyimp (1161443) | about 8 months ago | (#45600929)

Yes it's definitely a good idea to cover one's ass, but curing a problem is a lot harder than preventing one. If it were me, I would go get the access logs (like SSH logs and apache logs) and point out all of the bruce hack attempts that are likely to be in there. E.g., brute forced ssh login attempts, SQL injection attempts, etc. I would then say to boss-man: "THESE ARE HACK ATTEMPTS and they will ultimately succeed and I want to fix them. If you don't let me fix them, you will have to take the blame." I do think that it is reasonable to draw attention to security problems even if it does step on some toes. Putting marketing folks in charge of code development is particularly infuriating to me as a developer. Rat those hacks out. As for your boss, I'd give her/him a few chances to fix and then go around. I believe it was Gen. George S. Patton that claimed he would always shift his loyalties to whoever was highest up the food chain once he made contact with them. It's a bit cutthroat, but sometimes called for if someone is doing the wrong thing.

Re:EASY (2)

Tablizer (95088) | about 8 months ago | (#45600967)

Good advice, but minor addition: CC a fair number of other people. If your boss claims "I never got the message", then you have evidence in other people's in-boxes that at least you made a good-faith attempt to notify your boss and that the email system worked for everybody else.

Further, CC'ing others tends to make people more aware of a concern because they have to also consider how others are going to view the suggestions. Thus, it's a form of psychology.

Final advice: look for another job. Stubborn fools drag everybody down with their self-made Titanic. BeenThereDoneThat. Complaining to others frequently rarely works, and hurts your career.

B'OH! (-1)

Anonymous Coward | about 8 months ago | (#45601209)

also, know the difference between CC: and BCC:

Re:B'OH! (3, Insightful)

geminidomino (614729) | about 8 months ago | (#45601489)

He said CC and he meant it. Part of the logic (he even said it explicitly) is that the boss sees "Oh crap, now all these other people in the company know what's going on, and will be watching to see what I do about it."

Re:EASY (1)

cdrudge (68377) | about 8 months ago | (#45601153)

Document your correspondences to your boss when you notify vital security issues. Make sure your e-mails are not only backed-up, but you get read receipts or something showing your boss opened the e-mail (and might have read it). Keep those receipts archived. When poop hits the fan, at least, you are protected.

I'd print them out. That way when you stand in the unemployment line, you'd have something to burn to keep you warm on cold winter's days

A print out may document it, but if the shit really does hit the fan, documentation may not cover your ass much.

Re:EASY (5, Informative)

jonnyj (1011131) | about 8 months ago | (#45601155)

I agree, but I wouldn't be underhand and I certainly wouldn't use read receipts. That looks horribly like the very worst kind of arse covering.

You shouldn't go over your boss's head. Juggling a large number of conflicting priorities is what managers are paid to do, and you won't do yourself or anyone else any favours by undermining your boss's judgement in that way. But you should also consider the risk that she consciously has her own best interests at heart rather than the business's interests. She might have the view that, in the event of a security debacle, she will pretend that the team messed up and failed to follow instructions, and simply ride out the storm. In the meantime, she looks efficient and appears to gets jobs done quickly with a minimum of fuss.

Instead, you should sit down with her and clearly express your concerns. You should then follow up your meeting with a very clear email that summarises the conversation. You need to start with an assertive but non-hostile comment that leaves no-one in any doubt what has happened - something like this, "As we discussed earlier, these are the security issues where I believe that we are falling short of regulatory expectations..." Print out that email and take it home with you.

At that point, your boss has three options. 1. She can fix things. 2. She can escalate up the food chain, so that someone bigger than her can decide whether poor security is really in the company's best interests. 3. At huge personal risk, she can quietly ignore you.

Middle managers tend to have pretty strong survival instincts, so option 3 is very unlikely to to fly. Option 2 is pretty likely, and her manager might well say that security is too expensive/awkward/boring/inconvenient. If that happens, you're probably better off working some place else where you can be proud to turn up in the morning.

Re:EASY (0)

Anonymous Coward | about 8 months ago | (#45601281)

Document your correspondences to your boss when you notify vital security issues. Make sure your e-mails are not only backed-up, but you get read receipts or something showing your boss opened the e-mail (and might have read it). Keep those receipts archived. When poop hits the fan, at least, you are protected.

Don't just keep them backed up online, but back them up elsewhere, such as a hard copy. Companies can and do delete old emails, intentionally due to relationship to a particular topic and as a policy to avoid maintaining large amounts of unused data.

Re:EASY (1)

roc97007 (608802) | about 8 months ago | (#45601289)

He asked what we would do. In the spirit of that, I would (and have, in a previous job) do what houbou says above, and then take everything to the appropriate higher authority. Considering that things are most probably going to go TU anyway, what do you have to lose? (This assumes you have a high degree of confidence that you understand the issue and your analysis is correct.)

In my case, it caused an internal upheaval which resulted in some things getting fixed, but not enough, and when crap hit fan some months later, the company barely survived, and then only by becoming a much smaller company.

I was one of the employees laid off in the debacle, but I figure that had I not spoken up, the collapse would have been worse if anything, and I would still have been laid off, and I take comfort in the fact that at least I gave it my best effort. In fairness, I wasn't the only person who raised alarms. I guess what I learned is that companies have a powerful inertia, and it's not easy to correct a massive mistake in an acceptable amount of time. I can sympathize with people who see the approaching wall, say "oh well" and start updating their resume.

Find a new job (1)

Anonymous Coward | about 8 months ago | (#45600641)

Find a new job. Thread over.

Re:Find a new job (3, Insightful)

Aighearach (97333) | about 8 months ago | (#45600727)

Or just care less.

Re:Find a new job (0)

Anonymous Coward | about 8 months ago | (#45600951)

Or just care less.

this is the root cause of the original problem, why would you keep compounding the issue? clearly the OP takes some semblance of enjoyment and self satisfaction from his work.

with an attitude like quoted above and people wonder why the government is managing by budget crisis, continually kicking the can down the road until its someone else's problem

“The price good men pay for indifference to public affairs is to be ruled by evil men.” - Plato

hate to say it BUT... (1)

Anonymous Coward | about 8 months ago | (#45601029)

that's pretty much what I did for several years... (well, that & pay off our house so it wouldn't matter that much if I got blamed)

I even coined a Dilbert-esqe term for it: "the rapt* principle - no cube dweller ever got rewarded for being right about someone in a corner office being wrong..."

*long story I'll spare everyone

it's definitely the corporate Kobayashi Maru...

that said (& as others have noted): DOCUMENT! DOCUMENT! DOCUMENT! it won't save you from corporate scape goatting but could from a legal/PR/future job hunt problem...

Re:Find a new job (3, Insightful)

mlts (1038732) | about 8 months ago | (#45600783)

Seconded. This is a pile of manure just waiting to fall onto someone as a scapegoat, and it might be that the application is already compromised.

Approaching legal won't do the trick. They will immediately turn around and tell the boss that so and so have gone over their head... and this won't be good for future (or present) job prospects.

Were I in your shoes, I would be honing my LinkedIn profile, updating the resume, maybe shooting for a certificate or two for keywords, and starting the hunt.

In previous IT jobs, I've heard the mantra, "security has no ROI" plenty of times, followed by, "Geek Squad can fix it if we get hacked" when I ask the obvious followup question. When you hear that song and dance, run.

Re:Find a new job (1)

Penguinisto (415985) | about 8 months ago | (#45600975)

Yes and no... nowadays, with mandatory reporting in some cases, and every newly unemployed developer on the planet able to post to any number of disclosure lists, I'm not seeing too many management types left these days that would take such a stupid risk.

Re:Find a new job (0)

Anonymous Coward | about 8 months ago | (#45600863)

Try to find a job where your understanding of security issues is valued. They're going to resent you if you manage to force them; that's potentially a lot of stress coming your way in the future.

submit to legal department (1)

i kan reed (749298) | about 8 months ago | (#45600665)

Explain the possibility of liability. Let them investigate the risks. Problem will then resolve itself from the top down.

Re:submit to legal department (0)

Anonymous Coward | about 8 months ago | (#45600773)

That will only work if the chief legal counsel believes the odds are against them.

Re:submit to legal department (1)

i kan reed (749298) | about 8 months ago | (#45600837)

That's, sadly, the extent of his employer's financial liability then and his manager is making the financially sensible choice. If the laws aren't in favor of the customer enough to make an incentive, then that's everyone's problem, not the OP's.

Re:submit to legal department (2)

jvj24601 (178471) | about 8 months ago | (#45600841)

That will only work if the chief legal counsel believes the odds are against them.

We're in IT; the odds are never in our favor.

Re:submit to legal department (0)

Anonymous Coward | about 8 months ago | (#45600847)

Nobody likes a tattletale, esp fortune 500 companies.

Re:submit to legal department (1)

i kan reed (749298) | about 8 months ago | (#45601019)

Well, telling the company about itself isn't going to annoy itself. Telling federal or state officials might, but then... whistle-blower protection laws, suckers(you still secretly get blacklisted).

Re:submit to legal department (1)

Finallyjoined!!! (1158431) | about 8 months ago | (#45600939)

Where I work, at an ISP, the "meat space" buildings are all uninsured, however the datacentres & headends are. i.e. it's cheaper to compensate bereaved relatives than the increase in insurance premiums required to provide the cover.

Re:submit to legal department (0)

Anonymous Coward | about 8 months ago | (#45600949)

This.
Make sure to cya and then let someone else worry about it.
You aren't paid enough to worry about this.

Re:submit to legal department (0)

Anonymous Coward | about 8 months ago | (#45600969)

if it isn't resolved this way, then it's their calculated risk and decision to make and they can't say they weren't given the math.

they tend to not care because more security does not equal more money. nobody sees insurance payouts like they do income or profits on investments, even though it's all just money. also, people like you have a tendency to doomsay and overreact and they trust you more than you trust yourself to deal with it when it actually happens - however naive that might be of them, it's not their fault they think this way because it's true in most other situations.

write up your report detailing the risks, include published stats from other companies like yours that include costs after hacking so they understand the potential cost of inaction and they will never be able to claim you didn't warn them.

keep in mind their business strategy is not "we'll blame the tech if we get hacked" - their business strategy is to make money. your job is not to ensure it gets done, but merely to ensure they understand the risks. if you feel your hallway conversations aren't getting the job done, then YOU'RE not getting YOUR job done. I totally agree with parent, do some actual homework and put it in a letter first to your boss. if he doesn't react, then maybe CEO or legal, but that could be interpreted as going over your boss's head and usually bad.

if your direct supervisor has acknowledged it and didn't act, that's on him, but do everything you can to ensure he makes an informed decision regarding security priorities by actually understanding the potential costs.

and guess what - you may not be approved to work on it, and be forced to do so in your spare time. if you have none of that and can't get approval to work on such a report, then ok you need a new job. or maybe a new career.

Da fuq? (0, Insightful)

Anonymous Coward | about 8 months ago | (#45600701)

Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department.

Well there's your problem.

Re:Da fuq? (4, Insightful)

tsa (15680) | about 8 months ago | (#45601113)

He knows what his problem is. Why is your comment rated insightful?

WWMCD? (-1)

Anonymous Coward | about 8 months ago | (#45600703)

Ask yourself -- what would Michael Crawford do?

Go on .. tell us who (4, Funny)

OzPeter (195038) | about 8 months ago | (#45600709)

And I guarantee that all your problems will be solved very quickly by the dedicate volunteers who visit this site.

But you may need to brush up your resume first.

Re:Go on .. tell us who (1)

Drethon (1445051) | about 8 months ago | (#45600781)

That use of dedicated and volunteers is 100% accurate given they are both but "dedicated colunteers" and the same people... I think amused best describes my thoughts.

Re:Go on .. tell us who (1)

Michał Matyas (3453849) | about 8 months ago | (#45601117)

Fortune 500 company that has something to do with kids and recently revamped their website? Shouldn't be that hard to find.

Put it in writing (0)

Anonymous Coward | about 8 months ago | (#45600721)

Write an email to your manager listing out the security vulnerabilities and your concerns. CC your manager's boss.

Re:Put it in writing (1)

Anonymous Coward | about 8 months ago | (#45600987)

^ This. CYA is the name of the game. I used to do security/pen testing/sys admin stuff for a living and I can tell you that I practiced CYA at every turn. Inform everyone that needs to know, copy yourself on all communications and print them for a hard copy (include headers). Speak with anyone above you and lateral that will listen. Make your concerns known or else failure to do this may come back to bite you. Your boss could very well say she asked you to do something about it and make it look like it was you who were guilty of inaction. Seen this happen. More than once. Keep copies of everything.

Legal and Compliance (0)

Anonymous Coward | about 8 months ago | (#45600729)

Assuming you are with a large company there should be published legal and compliance policies. You can innocently ask that group for advice about the situation and you will probably find they carry much more weight on what should be done. If they approve of what your manager decided then nothing else for you to do.

Call Elbonia (4, Funny)

Chemisor (97276) | about 8 months ago | (#45600731)

There are some newly unemployed hackers in Elbonia, made deaf and blind by viewing Wally's browsing history. Be a good sport and hire a few of them to break into your website. They are cheap and, being deaf and blind, would not be able to actually see anything useful for identity theft, but will sure be able to get your boss to see the light.

Who cares? (-1)

Anonymous Coward | about 8 months ago | (#45600735)

Either take the paycheque or don't. You're not fighting any great fight here.

Look for another job or live with it (0)

Anonymous Coward | about 8 months ago | (#45600739)

are about the only two choices. It's extremely unlikely you'll be able to change anything until the business case makes it something they want to do. Sure you "could" get hacked. What are the odds? The business folk are willing to play those odds. You'll only lose your hair trying to convince them otherwise..

advise & document (1)

KernelMuncher (989766) | about 8 months ago | (#45600741)

Have a written copy (email) of your exchanges with the boss. Advise him/her of the security risk and what consequences could occur if the software were compromised. If there's no response on the matter forward the communication to the legal department.

Marketing!? (0)

Anonymous Coward | about 8 months ago | (#45600771)

I'll address these concerns you have one by one:

* If there's any failure, willful or not, by your company to comply with any laws you should notify legal immediately. They'll appreciate that.

* You receive your code from marketing!? I hope I read that wrong.

* If your job is to deploy code, you have a duty to refuse to deploy code until such fixes are put in place. If your boss overrides that decision, speak with someone higher up the chain. If push comes to shove, document the security issues and your thoughts to protect yourself.

* If you feel you cannot perform the job you were hired into, you should find a new job. It sounds like you can't if no one is listening to you.

Re:Marketing!? (0)

Anonymous Coward | about 8 months ago | (#45601011)

To summarize, there is no upside here. Comply and take your chances, or run as quietly and anonymously as possible for your life.

Quit (-1)

Anonymous Coward | about 8 months ago | (#45600797)

No, really - quit.

You cannot make any changes.

"I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids.

Yeah, and?

Blah, blah,blah,blah,blah, and ..AND!?

You are a moron . or a shill for Dice!

Fuck off - idiot!

God, really do we really have to deal with these assholes?!

Re: more dice propaganda bs (-1)

Anonymous Coward | about 8 months ago | (#45601173)

Yep this sounds like it is just more dice astroturf.. there are a few glaring telltale markers in the post that really make me doubt this is an actual situation and not something contrived. FUCK OFF DICE, you see people who count in this industry have brains and it is not going to be as easy as you might believe to change employment culture. I dont give a fuck what certifications anyone has and I dont know anybody who hires straight from dice.com nor do the recruiters I go through both when seeking myself and hiring. Maybe Prakash K at quickhiresforfillingcubiclespace.com does, but we do not.

risky but very useful (0)

fluffythedestroyer (2586259) | about 8 months ago | (#45600803)

I often found that when someone doesn't want to listen to you and you know what you have to say is important, then the solution to it is create more noise until your heard.

In your case, which would be very risky as you "could" lose your job but at this point I would do it since no one wants to listen, its to create a problem LIVE and let the company go in nightmare mode.

To be more precise, let them think a hacker got all the info off of one of the vulnerable issues and because of that they got some sensitive information..just don't let them know its not true. Let them think it's real and let them freak out a bit.

Then, after they freak out, calm them down and explain how to fix it...at that point, they will listen and undertand your issue...some people are just plain fucking idiots. That especially happens on the higher end of a company, its like they live on another planet and only looks at numbers and statistics only.

Re:risky but very useful (1)

Anonymous Coward | about 8 months ago | (#45600997)

create a problem LIVE and let the company go in nightmare mode.

I'm pretty sure that what you are describing is neither legal nor ethical.

Re:risky but very useful (2)

PaddyM (45763) | about 8 months ago | (#45601183)

This is a terrible idea. I strongly oppose this approach.

Re:risky but very useful (0)

Anonymous Coward | about 8 months ago | (#45601213)

A pretend zero-day "it was all a serious joke" approach is a terrible idea. Nobody will take it well.

Better: Hack your own app with some common technique, document how, tell what skill level a random hacker needs to do that, show some of the live data you actually get out of it, describe what impact this may have on your customers, and show how much financial impact similar breaches have had on other companies. Give a rough estimate of the number of this or other types of vulnerabilities your software has been accumulating. Describe what some of those other vulnerabilities may be.

Put it all in a very brief presentation or document whose responses should be "I had no idea they could do that" and "It will cost us how much?"

Don't do anything if you have kids. (1)

musixman (1713146) | about 8 months ago | (#45600807)

Does it ever work out well for the whistle blower? Document your concerns then move on... it's better then being unemployed.

Don't ask /. (4, Interesting)

Dishwasha (125561) | about 8 months ago | (#45600813)

I'd start by not advertising to a large public forum containing a lot of people with security exploit experience and motive about your companies web security vulnerabilities where your synopsis easily reduces the attack vector to significantly less than 500 potential targets. How many fortune 500 companies exist that target kids, let alone ones that have a female web software development manager? Also, it should be fairly easy for somebody in the industry to discover which fortune 500 kid targeted companies outsource their system administration.

At this point, I would do nothing. If they aren't hacked within a week after you posting this article then the security vulnerabilities don't really matter.

Re:Don't ask /. (4, Insightful)

paavo512 (2866903) | about 8 months ago | (#45601033)

At this point, I would do nothing. If they aren't hacked within a week after you posting this article then the security vulnerabilities don't really matter.

Maybe this was the strategy of OP? In that case, brilliant!

Re:Don't ask /. (1)

Anonymous Coward | about 8 months ago | (#45601233)

... let alone ones that have a female web software development manager.

In the F500, that is not going to narrow it down - I can guarantee you that all of them have at least one female development manager, and probably many more.

For my stereotype of the day: I'm going to guess that you are over 50 years old.

Re:Don't ask /. (0)

Anonymous Coward | about 8 months ago | (#45601239)

So it's CBS, VIACOM or Mattel.

Paper trail (4, Insightful)

bugnuts (94678) | about 8 months ago | (#45600827)

Plain and simple, keep your old emails, offline. If you get cornered for a conversation in person or phone, no problem... just dash off an email stating "You know how you were telling me at lunch not to worry about the security vulns? This still really bothers me. There's got to be a way to mitigate it without affecting deadlines. Imagine the missed deadlines if we lose our infrastructure to an easy hack."

Don't sound like a troublemaker, but rather, a concerned worker.

Make it clear you're the professional, and in your professional opinion and that of industry standards, security is sorely lacking. Itemize the issues you have in an email. Keep that email.

Support their decisions, and live with it.

Finally, if the shit hits the fan and anyone points fingers at you, refer them to that email. If they fire you for it, that's when you become a troublemaker.

Re:Paper trail (0)

Anonymous Coward | about 8 months ago | (#45601391)

Sounds like in your company, the noisy wheel get replaced, not fixed. Get your resume in order before your going raising the issues. It's obvious managements priorities are updating the website no matter what, sort of like Obamacare's website. Eventually something will happen and your'll be the scapegoat.

Re:Paper trail (0)

Anonymous Coward | about 8 months ago | (#45601461)

They won't fire him for that, they'll fire him for something else unrelated. His bosses clearly don't want "concerned worker" they want quiet obedience, and he's already failed at that, or maybe a sacrificial goat. He needs to start looking for a new job.

Relax, we understand j00 (0)

Anonymous Coward | about 8 months ago | (#45600849)

Go home, drink a bottle of whiskey, cry a little, go to work the next day and stop worrying about it :)

Cover your own arse. (1)

TechyImmigrant (175943) | about 8 months ago | (#45600855)

Cover your own arse. Document that you were the one reporting the problems and violations. You may lose your job anyway. Prepare for alternative employment. This is always easier while you are still employed. Once you have a reasonable plan for alternative employment you can start making demands. You may either be the hero, or you may end up in the other job.

Up to you (1)

Drethon (1445051) | about 8 months ago | (#45600873)

To me it is all based on what your own conscious demands. I spent years battling with my employers about their testing methods (the solution to the program crashing is the user should never enter that combination of values... yet you aren't going to prevent them from doing just that?) and got nowhere. At this point I put in my 40 a week, document the rejection of my recommendations (e-mail archives are your friend) and take pride in what I do outside of work.

If your conscious wont allow for that... ask someone else.

Approach the CHAIRMAN not the CEO (1)

Bruce66423 (1678196) | about 8 months ago | (#45600877)

It's his responsibility to protect the company from idiots. Alternatively speak to the auditors, who also have a duty to report concerns. But on the whole you are probably screwed; whistle blowers tend to be shot on principle even if they have done the right thing - a new job is probably the best solution.

Impossible. (1)

Anonymous Coward | about 8 months ago | (#45600901)

I've been told repeatedly here on slashdot and elsewhere that private companies, especially big ones, don't have IT problems, only the goverment does because everything the goverment does is terrible while everything the private sector does is perfect. So either you are lying or they are wrong.

Outsourcing (3, Funny)

K. S. Kyosuke (729550) | about 8 months ago | (#45600907)

However it's a security nightmare for sysadmins (which is all outsourced)

So it is the security nightmare that is outsourced? Finally someone got outsourcing right.

Prove It (1)

Jah-Wren Ryel (80510) | about 8 months ago | (#45600911)

Can you get budget to hire a security penetration tester? There are companies which will do penetration testing and then give you a report documenting all of the vulnerabilities they found. With that in hand you have a much stronger case to convince management to fix the problem because now it is a highly qualified security expert that has documented explicit problems.

How serious is it really? (1)

Khashishi (775369) | about 8 months ago | (#45600917)

So let's say it gets hacked. Are we talking minor embarrassment, or serious privacy violations? All big companies patch stuff all the time, after they deploy. Adobe probably has a big list of things that need fixing when they get around to it, which maybe explains why there are constantly updates.

Cover yourself first (0)

Anonymous Coward | about 8 months ago | (#45600937)

When a hacker eventually steals and publishes all the little kids' info, are you the one who will get blamed? If you are, then find a new job now.

Integrity Hotline (4, Interesting)

MNNorske (2651341) | about 8 months ago | (#45600959)

If you're working for a Fortune 500 company there likely will be some form of internal integrity hotline. I know my own corporation has one. Document your concerns and contact them. I recently had to report a concern raised about one of the major offshore contractors we use to our integrity hotline and it was actually a very good experience from my side. After submitting the issue it took a few days but an investigator from our legal department contacted me and we had a phone conversation, and then I forwarded him some additional details I had held back from the initial correspondence. I did that mostly to protect an individual from the contractor who brought the concerns to my attention.

I would make sure that the correspondence you send to your legal department includes copies of some of the email chains you have with your managers, peers, etc... raising the concerns. Be sure to specify any regulations you suspect are being violated. If the legal team determines there is concern you can bet that change will happen. If they determine otherwise, then you've done your due diligence and reported it within the means your company gives for you to report it.

4chan (0)

Anonymous Coward | about 8 months ago | (#45600963)

Get numerous written reports with security concerns and documentation. Get written notice from your superiors to make no changes. Leak some information to 4chan.

Eat popcorn.

Re:4chan (0)

Anonymous Coward | about 8 months ago | (#45601275)

Don't leak it on /v/ or /g/, we have enough trouble staying on topic as it is.

File it under NYP (0)

Anonymous Coward | about 8 months ago | (#45600965)

Not your problem.

Take your money and run to the ... sofa.

Been there (1)

Anonymous Coward | about 8 months ago | (#45600979)

I did the smart thing; put my paper on the street (immediately) and started searching for a better, smarter, place to work (and found it). When shops abandon all the lessons and experience learned over decades of maturing our industry; It is unlikely to matter. "Agile" has been and is often used as an abomination to do a way with pesky issues such as quality control, proper coding, release strategies, and requirements (dont be haters, Agile used correctly is a powerful tool for rapid development). Turning everything into a "beta" product that is ripe for failure and abuse and releasing it to the public, and the burden of the results or responsibility will not fall on the shoulders of those who made that decision. Thats why they made it. Since your in a Fortune 500, I would look for greener pastures inside as well as talk with a few 'good/effective' recruiters.

Do the right thing for yourself (0)

Anonymous Coward | about 8 months ago | (#45600993)

If your company is breaking the law you should report it to your legal department via email AFTER discussing it with your manager and cc him and his boss. Alternatively visit your HR representative, who's job it is to protect the company, not watch out for you, and discuss it with them. If you do not, one day the hammer will come down and you will be thrown beneath it in the interests of mitigating damage to the company. If they decide to hammer you for reporting the issue then its not a company you should work for is it?

Or you can give notice and explain your reasons for leaving at the exit interview.

Talk to an attorney. (1)

Anonymous Coward | about 8 months ago | (#45601017)

You should get advice from an attorney. You COULD be held responsible if something happens. Do you think your boss would stand by you and say you did your job, but she told you to wait?

Prosicutors would pin it on you because you failed to report it, and those truely guilty would use you as a scapegoat. Be smart, talk to an attorney, then at the very least you need hard evidence that you went to your boss, several times, and even over her head. If you have plausable deniability, then you are mostly covered.

Watch your p's and q's. dot your i's and cross your t's.

Rule #1 of business (0)

Anonymous Coward | about 8 months ago | (#45601027)

Credit travels up, blame travels down. Make sure you are up and out before it happens.

how much money can be lost? (1)

alen (225700) | about 8 months ago | (#45601035)

what's the worst thing that can happen if the site is hacked? any CC info? how much money will be lost

not every site and data should be treated like fort knox. keep your emails for CYA purposes and keep doing what you are doing

Whitepaper (1)

Spazmania (174582) | about 8 months ago | (#45601049)

I wrote a memo laying out all the issues in layman's terms and proposing solutions. Then I gave it to my boss. A little while later with no further movement on the problem, I quit.

A year passed and the system was hacked. Publicly. Embarrassingly. Folks here on Slashdot asked what the sysadmins could possibly have been thinking. So, I published a copy of the memo I had written.

Your mileage may vary.

Like the previous article... (0)

Anonymous Coward | about 8 months ago | (#45601057)

move on to a company that knows what they're doing.

Contact your companies Compliance Officer (3, Insightful)

Anonymous Coward | about 8 months ago | (#45601063)

A fortune 500 company that deals with any area that has Federal compliance laws like COPPA, HIPPA, etc should have a compliance officer. They would be the person to contact for issues like this and contacting them should address all your issues.

1) It gives a paper trail showing you raised the issue and should prevent you from being the scape goat when something happens.

2) It should give you someone who understands the relative compliance laws and the risks associated with not complying.

3) The compliance officer should then have the juice to get something done if they determine this is a legitimate issue. If they determine it isn't an issue then their neck is on the line not yours.

This happened to me. Please read the following (3, Interesting)

Anonymous Coward | about 8 months ago | (#45601075)

This happened to me when I was contracting for the USDA. Developers were pulling SQL statements in url strings. No... I'm not kidding. Literally "SELECT * FROM .

1) keep a copy of every email you sent.
2) evaluate the situation from an objective point of view. Should security be breached... what would be the possible fallout?

If personal information loss is part of this, immediately take your concerns to your legal team. In my case, I was told by several individuals it was not a problem and it was safe followed by my supervisor who told me it would be fine. I was okay with it until I realized I could pull anyone private information this way including social security numbers.

The legal team was very easy to work with. We had to self report 56 violations and my supervisor and two developers were terminated.

In this case I follow my uncle's advice (1)

NotSoHeavyD3 (1400425) | about 8 months ago | (#45601097)

He's of the opinion that you give your opinion once. If they choose not to listen to you well fuck them. (Admittedly my uncle is very smart, has an ivy league degree. Anybody that ignores his advice is royal fucked.) I'm guessing the best thing to do is start looking for a new job because some how I doubt they'll suddenly get smart. (They'll probably just manage the company into the ground and then blame you for it.)

A union would be helpful in this situation (3, Insightful)

Goonie (8651) | about 8 months ago | (#45601121)

While trade/labor unions are much maligned in the often libertarian-leaning IT community, this is the kind of situation where a bit of organization amongst colleagues - along the lines of what engineers or medical professionals have, would actually be useful.

But given that we have the IT professional community that we have:

  • Document that you've told your boss, and probably your boss's boss, and probably the legal department (perhaps informally and verbally initially). If you've told them, it's their problem, not yours
  • Start polishing your resume. Whistleblowing usually has negative consequences for the whistleblower - and, furthermore, continuing to work for an organization which has such a lax attitude to software poses a risk to your career if you stay there.

Incidentally, your case neatly demonstrates the near-uselessness of the IEEE-ACM Software Engineering Code of Ethics [computer.org] , which is very long on what the ethical obligations of a software engineer are, but has nothing useful to say about what you should do where others are ordering you to act unethically.

Re:A union would be helpful in this situation (0)

Anonymous Coward | about 8 months ago | (#45601427)

Incidentally, your case neatly demonstrates the near-uselessness of the IEEE-ACM Software Engineering Code of Ethics [computer.org], which is very long on what the ethical obligations of a software engineer are, but has nothing useful to say about what you should do where others are ordering you to act unethically.

I always thought it was pretty clear. If someone is ordering you to be unethical, don't. Easier said than done yes. Doctors make enough money to easily move on when asked to violate their code of ethics. With engineers it's not so simple. I found myself in a similar situation a few years ago at a startup. My solution was to form a release process that didn't rquire my signature, but did require the signatures of several directors and a VP. I convinced them that the act of releasing software resulted in a company expense high enough to warrant such measures. I still didn't like it, but I didn't release crap without going through days of explaining to management how much money it was going to cost to deploy crap and to get their express written approval to do so..

Let the stockholders deal with it (0)

Anonymous Coward | about 8 months ago | (#45601157)

I suggest you anonymously post the issues to some very public place.
The stockholders should deal with it, due to the huge liability issues.

Think of it as banking overtime (1)

SuperCharlie (1068072) | about 8 months ago | (#45601161)

Sure send your notification emails and cya.. once that's done it's more a game of wait for the overtime, because when, and I mean when, it goes down it will be like Oprah came by with.. And overtime for you, and for you, and for you.. overtime for everyone until we fix this!!

Explain clearly how easy it is to breach (1)

Beeftopia (1846720) | about 8 months ago | (#45601185)

Step by step, so a non-technical type can understand just what the issue is. "Security" for some folks is a vague amorphous issue with no real consequence. I've been stunned by some of the malware and lack of security I've seen on people's computers. They don't "get it." They don't understand the risk and the damage.

Help your boss "get it" if that's the issue. Explain the consequences of a breach, and the damage to the brand. Show with other examples in the media.

My $0.02.

Give up... (0)

Anonymous Coward | about 8 months ago | (#45601199)

Give up and come work for me.

Your first job will be to make a couple of security attacks on your old company.

I have a couple of million I can use to short those idiots....

Document, do nothing (3, Informative)

onyxruby (118189) | about 8 months ago | (#45601203)

Document the issues so that it is clear you are aware and tried to do something about them. Bring them up verbally to your boss - without being obnoxious about it. Once you've done those than you need to the hardest thing of all which is to let it go. If you make too big of a deal about it you will be seen as a troublemaker. If you do nothing you will be seen as complicit or incompetent if there is a violation.

Now in certain industries you may have requirements (possibly enforced by law) that require you do to more. Most of the time that isn't the case and you have to let it go and move on with other things. Often times disasters are the only way that people higher up the food chain can and will learn.

I recall when Nimda was making it's rounds in 2000. I was aware of the worm, had the patches downloaded, instructions printed and had requested permission to patch servers. Permission was denied. I asked again, it was denied again. I had awareness of the issue, my statement of the severity and denial all in writing.

I watched a fortune 25 company go down for 2 days and lose $100 million dollars and countless workers get sent home when their facilities were rendered useless. As a result an inflexible policy was changed and any number of people were fired or disciplined. Because I had documented everything I was just about the one person nobody faulted.

Do the right thing (1)

Anonymous Coward | about 8 months ago | (#45601227)

#1: Document every security problem you find and rank them in severity as far as how much they'd hurt the business if they were exploited. Document steps to exploit them from the outside if you know how, or if only exploitable from the inside, document how that could be done too.
#2: Notify appropriate management of all these documented issues, particularly the ones most damaging to the business that would be easy to exploit from outside.
#3: Explain the consequences if the exploit occurs. It might not be a bad idea to find news stories of other organizations that have been compromised to show the fallout from such problems.
#4: Document steps to rectify the exploits if you know how to, in as much detail as you can and preferably with time estimates.
#5: If all of this falls on deaf ears, go higher up. Find another job before doing so (at least get an offer) if you believe you will receive backlash for going above management's head. Honestly if the management above your manager is competent, they will greatly appreciate your efforts.
#6: You can also publish this list to any communally-accessible location and send it to all the developers in your company who are creating software that has security holes or could have them. Knowledge is power and I doubt all your engineers know they're creating dangerous security problems.
#7: Do what you can with the code you control. Lock down and secure whatever is most important. Let the small problems slide if it means the big ones get plugged. This is why the severity ranking is important, to help you and others prioritize.
#8: You should also log all these issues as defects and assign them to the appropriate person/team as ship-stopping defects, so that the software CAN'T be released until they're fixed. At least, that's how it works in a healthy development shop (which it sounds like you're not part of at the present time).

Wild guess (1)

hcs_$reboot (1536101) | about 8 months ago | (#45601287)

Your company is Sony?

Drop the dime (1)

g0bshiTe (596213) | about 8 months ago | (#45601311)

If it's dealing with children and you are that concerned and management has done nothing to change it, blow the whistle on them.

Who is the business owner of the app? (1)

macbeth66 (204889) | about 8 months ago | (#45601395)

You should include the business owner on your emails to your boss outlining what is wrong AND how to fix the problem. Include in the what is wrong part, why the app is vulnerable.

Since you state that you came into the migration towards the end of the process, state that you are just now understanding that these issues even exist.

Is it... (1)

rhazz (2853871) | about 8 months ago | (#45601397)

Webkinz?

signs (1)

DriveDog (822962) | about 8 months ago | (#45601491)

Difficult to imagine the powers that be caring much about application security if they're willing to outsource sysadmin duties. And yes, I know that's common. But that doesn't make it sensible from a risk management viewpoint.

On the technical side (1)

Beryllium Sphere(tm) (193358) | about 8 months ago | (#45601493)

So you've got a vulnerable web app that can't be fixed with new vulnerabilities being introduced all the time.

That's what web application firewalls are designed for. Installing one takes less schedule time than doing things right would take, and it might work better than nothing.

Though of course this is not a technical problem, it's easier to paper over a people problem with a technical patch than it is to fix people.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>