Awesome Conferences

Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do?

I'm really sick and tired of Slashdot doing posts like this, but it isn't slashdots fault. It's our industry's fault.

Here's the question:

"I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids. This year we migrated to a new technology platform including server hosting and application framework. I was brought in towards the end of the migration and overall it's been a smooth transition from the users' perspective. However it's a security nightmare for sysadmins (which is all outsourced) and a ripe target for any hacker with minimal skills. We do weekly and oftentimes daily releases that contain and build upon the same security vulnerabilities. Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department. I inform my direct manager and colleagues about security issues before they are deployed and the response is always, 'we need to meet deadlines, we can fix security issues at a later point.' I'm at a loss at what I should do. Should I go over my manager's head and inform her boss? Approach legal and tell them about our many violations of COPPA? Should I refuse to deploy code until these issues are fixed? Should I look for a new job? What would you do in my situation?"

I guess I'm getting a bit passive-aggressive in my old age because here's my reaction:

Well it sounds like you've done the responsible thing and tried to raise the issue. That's important because that is what I'd recommend. You need to make at least 3 attempts at warning your employer before you give up. Each time make sure you explain it in terms of the business impact, not in geeky technical jargon. In other words, "The system could be penetrated and credit card numbers could be stolen" is business impact. "There's a buffer overflow in the PHP framework being used" is geeky technical jargon. Explain it without sounding alarmist, but be firm. File a bug for each issue so that there is visibility and a record of when the issue was first raised.

However it seems like you've already done that. Your question isn't "what should I do?" but "what should I do now that warnings have failed?"

I guess I'm getting a bit passive-aggressive but the answer is, "Let them fail."

You've done your job. You have a technical position and your role is to raise technical issues. You aren't in management. Management's job is to set priorities. They've set the priorities: security is low priority.

Management won't give security any higher priority until a few "household names for anyone with kids" have catastrophic outages and security issues that are "New York Times Front Page" stories. For some executives the only motivation is fear of public embarrassment.

Once that happens management will finally take action.

What action? If they are smart they'll change their technical strategy and fix the problems: put into place controls and procedures to fix problems before they happen. In that case, good for them. If they are dumb they'll hire a slick "snake-oil salesperson" that will charge a lot of money but not actually improve things. In that case, they'll go out of business (or the executives will be fired) when there are more problems or a company better at technology is more successful.

Isn't it about time that dumb companies go out of business? Isn't it better for dumb executives to get fired?

Yes, it is.

So why are you helping them stay in business? Why are you sheltering a dumb person from the effects of their ignorance?

Does any company think they are unaffected by the "computerization-of-everything" that they can hire technologically illiterate executives?

When AT&T Wireless went out of business and sold their name (and their customer list) to SBC, didn't it improve the world?

Of course, the most ethical thing to do would be to educate them and help them change their ways. However that was not your question. Your question was "what now that I have failed?"

Oh, that reminds me. One of the most important parts of working in IT is being able to communicate effectively to executives the business impact of these things. My definition of "effective" is that they decide to make the changes required to fix the problems you are concerned about.

Failure of communication is a two-way street. The information sender has to succeed and the information receiver has to succeed. If either fails, both fail.

So that's the real bad news here. You are just as much a failure in communicating to them as they are a failure in receiving the information.

So, if you have failed, doesn't that mean we need to get you out of there for the same reason we need to get failed executives out of companies (or failing companies out of the market)?

Yeah. That.

So if you leave maybe your replacement will be better at "one of the most important parts of working in IT": communication. Or maybe you can step back and completely change your tactics.

If you are going to leave, read my So your management fails at IT, huh? blog post. It will help you feel better and leaving such a messed up company.

If you are going to change your ways, let me recommend The Phoenix Project. It will open your eyes to a an entirely different way of communicating and interacting with executive management about IT.

I hope you pick the latter. It is probably the better thing to do for your sanity, your stress level, and your career.

Posted by Tom Limoncelli in RantsSecurity

No TrackBacks

TrackBack URL:

1 Comment | Leave a comment

Unfortunately, we see a lot of this.

Leave a comment