Slashdot Mirror
Security Plans for When Your Senior Developer Leaves?
An anonymous reader asks: "Our CTO, responsible for all hardware and networking setup, who also coincidentally happens to be our senior (and only) developer, has just resigned to go work for the competition. We are not a software company, but he's written proprietary code that we use on a daily basis to work. What interim measures should we be taking to ensure a smooth transition to the next person hired to take over? What can we do about security, since this person designed and implemented all current security procedures? What about ensuring that we have all the intellectual property to which we're entitled? As one co-worker put it: 'His resignation was a surprise to us, but it definitely wasn't a surprise to him.' If he wanted to leave some hard-to-find malicious timed-release back-door-opening code running, it's certainly within his means. We don't expect any malicious action, and can rely on a reasonable level of co-operation and documentation before he goes, but I want to get a sense of what others have done in this situation."
Get your lawyers lubed up and ready to go.
There are no trails. There are no trees out here.
You should phrase the question "what should we do the next time"
This is a legal problem. I assume that you have all of the agreements in place (signed NDAs, Non-Competes, etc.). So from there just monitor what is going on. Frankly if you are loosing your CTO, only developer, etc.you are screwed as a company anyway, so maybe it is time to update your resume and get a head start on the new job search that is most likely coming your way
I have mod points and I am not afraid to use them
If you think they are the type of person who may do something like that, you probably shouldn't have put them in charge of security.
Nah just kidding.
I would suggest making two complete backups of all data on all machines. That way if there were a problem then the backups could be used for forensics. Second, monitor any connections to the network from remote access modems or internet connections using an intrusion detection system. Then just relax. If the guy is leaving on good terms then you probably have nothing to worry about.
Any company with one developer is going to be a small business -- small businesses have budgets, just like REAL people -- believe it or not, companies don't want to spend every penny of budget on IT, since -- without sales -- there is no damn IT department. Making a bunch of silly recommendations that are beyond the means of this company is silly.
Some or your recommendations are valid
The rest of your recommendations were intelligent assuming a magical world with no budgets, no deadlines and no need to be realistic. But -- if you take into account the real world -- they were moronic.
For the most part, if they were really malicious, you are boned anyhow.... The good news is development is really a small community - even if they don't get the book thrown at them, I know folks that were more or less excommunicated because of bridge burning and other stupid departure tricks. More than ever, jobs are had by personal recommendation rather than some recruiter pushing your resume. You may not like your job, your peers, etc - but I've seen prospects burned before they got in the door because of what they did a company or three back. Odds are, if this guy was a senior level developer, he has more at stake than you. I know I made sure everything was checked in, documented where possible, and asked IT to change my passwords - I also never checked to see if they did...
+++ UGUCAUCGUAUUUCU
Then, once he's gone, audit the code. Maybe you'll need to hire an outside consultant to do it. Anyway, once the source code is audited, you still aren't in the clear. It could be that he put a backdoor in the binaries, leaving the backdoor out of the copy of the source code he pointed you toward. Thus, once you are done auditing the code, compile it. Do a file compare of the current binaries and the newly compiled binaries.
In Windows, the command line is fc /b filename1 filename2.
If there are any differences, that doesn't necessarily mean anything significant. Move the current binaries to a temp directory or someplace out of the way. Don't delete them, as they could be important later. Copy the newly compiled binaries in. Test the whole system to make sure it works.
As for ensuring your intellectual property is protected, I don't know how you can truly do that from a technical standpoint. You should notify your corporate legal counsel of your concern. If you don't know who that is, bring it to your CEO's attention.
Good luck.
You need to expand the depth of your paranoia. It was only deep enough to scare away your CTO. At little deeper and you would have had a backup CTO in a secure location in anticipation that the first would quit and take everything... The funny thing is you never had anything of value in the first place, well except the employees that left...
first, treat the person leaving with respect. if this person is mature then they won't burn bridges - neither should you.
don't accuse him of things he might not have done. don't screw around with his career. shake hands, wish him well and generally be professional. it's business. cope.
second, solve your problems. the person who is leaving has his own issues - poor communication, poor loyalty, excessive greed, whatever. those are his problems. let him work on those, they're not your problem.
the main reason for your discomfort is that you put all your eggs in one basket. and now your basket has left. so in the future hire two people, not just one.
and when you have these two people on board, talk to them more often. find out how they feel. you were taken by surprise by this person leaving, that suggests poor communication - on his part or your part.
finally, you seem to have no idea what code this person wrote even though your business seems to depend on it. does the code go in a source code control system? do you have a release procedure? can you get the previous releases?
you need to answer yes to all three of those. if you don't answer yes to all of those now, make sure you can in the future.
US Citizen living abroad? Register to vote!
Quite honestly, your company needs to get their ducks in a row. Here is what you are up against :
...
Your company sounds small enough that they had very few 'computer guys' but big enough that the computer infrastructure is fairly complex.
The guy in charge (your soon to be ex-CTO) probably designed and built the existing systems from the ground up. As he didn't have anybody watching over his back, do not be surprised if there is some jury-rigging in there. He probably shared some of the quirks with some of the other computer guys, but not all.
He may be an important part of the wet-ware in your system. An easy to understand example would be a bowling alley - if your company has to bowl a strike every time the ball gets thrown, he was the guy that walked down the alley continually making minor adjustments to the path of the ball. This could be custom reporting on your data, swapping out the backup tapes, deleting temporary files, cleaning out the log files so they don't fill the hard drive, or booting the servers in a particular order so as not to overload the UPS. It has become routine that he takes for granted and probably doesn't even think about them any more so when he doesn't mention it (and they don't get done)
You have some pretty important apps that he may be the only guy that understands how they work.
Today is the day of truth, you are on the cusp of finding out if he is disgruntled or not. If he is disgruntled, the LAST people you want talking to him is HR. They will either piss him off more than he is, or try to bully him - you need to get his favorite tech to take him off-site, dinner or to a strip club, and off the record find out why he is leaving, what his primary concerns are, what he would honestly have changed given the chance, what he anticipates the hot-spots being after he is gone, and most importantly : does he have any recommendations for a good replacement.
This last one is key. There are lots of paper tigers out there (MCS* certs), lots of guys that are good at network administration, lots of guys that can code language A or B or C++, lots of guys that can diagnose and maintain an SQL Server, and lots of guys that can operate in the role of CTO to work as manager and liason between the IT department and upper manglement. You are going to find precious few people that can do ALL of the above(*), and unfortunately that is exactly what you need to do - and find a guy that enjoys doing it because the first few months are going to be rough. Doubly rough if your CTO is disgruntled, so if one of trusted colleages was in there he might hesitate before setting off some time bombs that his pal is going to have to clean up.
The penalty for getting this wrong is going to be pretty severe.
(*) I would be perfect for the job, but I am pretty happy where I am.
Glonoinha the MebiByte Slayer
Yeah, the lawyers and HR would love that but anyone worth their pay would run the instant yuo suggested it.
"Intentional security breaches," for instance. Okay, no problem, none of us want intentional security breaches and since Outlook and MSIE are both responsible for a large number of breaches they're history. What, I can't do that - you're telling me that you're holding my feet to the fire yet denying me the authority to do anything about it? See ya!
Ditto all of your other suggestions. Of course any code written for the job, at work, for pay, etc., belongs to the company. It may or may not be proprietary, in the sense that I may extend GPL code to fix a problem. It's perfectly legal unless the company wants to distribute the code to others (which doesn't sound like the case here), in which case you need to say so upfront so I can budget about 10x as much resources to duplicate the prior work. But the stuff I do at home, on my own time, is mine.
I could go on, but it shouldn't be necessary. Anyone with real experience has been burned by somebody with such a list, or had a friend burned, and no matter how bad the economy is they know that unemployment is better than being the target of a lawyer trying to prove that their client's incompetence is really your fault.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Something tells me you've never worked for a small company before.
The cost of such an action may be more than the company makes all year, if the company is a microbusiness.
Fast, cheap, good. Pick any two. I'd suggest hiring a CS college student now and have him be the intermediatry between the old worker and the new. Keep him on as an intern, and have him in charge of documenting everything.
The way to address this is to hire good people, and treat them well, especially for key positions like this one. That way when the person leaves to move on in their career, it will be with regret and good wishes. They will be eager to help you in way they can help you recover from their departure, rather than looking for ways to harm you.
Yeah make him think twice about it. But what if he wasn't even about to think of it at all? Thought never occurred to him? "Don't think of the potato" sort of thing...
If you're going to break up, why not remain friends if you can? Not go to "If you take my alarm clock, I'm going to sue you, and remember the time you left the toilet seat up etc". Doh.
After all the questioner said: "We don't expect any malicious action, and can rely on a reasonable level of co-operation and documentation before he goes,"
This pieces of paper should only appear when he first started working or during general policy updates.
I doubt people were talking about kissing the guy's ass. It's more of not burning bridges.
Remember you MIGHT need to call the guy up for HELP.
You're proposing a piece of paper that says if you do something bad we'll send you to jail.
But that stupid piece of paper sure does not incline him to help if something bad happens for other reasons (nothing to do with him) OR you need to change things in your systems around - nothing wrong, business needs often change.
He's less likely to help people who treat him as if he's the enemy. Goodwill often takes years to build up, and can vanish almost immediately with something like this.
If you play nice, you are more likely to get free phone/email advice. People in my prev workplace have asked for advice a number of times after I left them, and I've given it free to them.
I might have still given advice if they had given me such a piece of paper. But unfriendly and risky (threat of jail) environments might mean I'd charge or just hang up.
Nowadays it's a small world. People are just a few seconds away. Whether for good or for bad.
You should have paid him more money, not overworked him, and kept him happy.
Supprisingly, the several small companies I've worked for treated me like family but drove me off with a combination of mainly extremely long hours and low pay.
I guess I forgot to tell the small business owner that he owned the company and I did not and therefore he had a huge interest in it making millions of dollars while I would at best get my salary increased 7% a year if things went good.
It would probably sink the company.
The reason you have someone escorted out is because you believe they may cause some sort of damage.
If he wanted to do any damage, he would have done the dirty work in the period between deciding to leave, and telling everyone else that he was leaving.
At this point, the most damaging thing he could do is leave the building and not share any of the business-critical information inside his head about how the IT infrastructure works. Why would you want to force him to do that? You'd be shooting yourself in the foot.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS