What Should We Do About Security Ethics?

An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"

What Should We Do About Security Ethics?

[doti]

Ignore it?

Re:Ethics? Where? On Slashdot?

[Lunix+Nutcase]

So you're saying that you're a Muslim?

Re:Gee, I dunno

how about you gather some evidence and publish it?

Of course, you'll lose your job over it. So decide now. Do you want to sleep at night? Or do you want to feed your family? That is one end of the spectrum. Another is to gather some evidence in order to ensure job security and hefty pay raises!

Re:Ethics? Where? On Slashdot?

[eln]

Because of my personal beliefs which stem from an often insulted and bashed faith, constantly mocked here on Slashdot, I do not sell the information I am privy to. I have a very strong sense of ethics too, and don't sell the information I'm privy to either. Since you say these beliefs stem from your faith, then we must be of the same faith. Always nice to meet a fellow atheist.

Re:Ethics? Where? On Slashdot?

[Lunix+Nutcase]

Awwww, the user behind this AC post must be really PMSing today to mod me down.

Re:Not much

[Qzukk]

I'm not sure how this happens either. We recently let a certificate lapse on a domain we stopped using and gave up on. For the 6 months before it expired I got emails from the certifying company up to one every 2 weeks or so at the end. Actually, it's pretty easy. See, Jim punched in his email address back when we first got the certificate, so we'd been getting the notices at jim@example.com. Things were fine for a while, but then Jim moved on to another company. Fortunately, we had another Jim, so we just gave the email account to him when the first Jim left, and things were fine.

Last month Jim turned in his two weeks' notice.

By the way, we've got an entry level opening some of you might be interested in, just need a PhD, 10 years experience in C#, salary starts at $45k. Oh, and you have to be named Jim. Just send your resumes to jack@example.com...

Re:Three Words:

[wellingj]

There are some really scary ones in there.

Google
Bank of New York
SAIC
Amazon.com

But my bet is on Toys "R" Us

Re:Three Words:

[Heembo]

But my bet is on Toys "R" Us New company jingle?

"I don't wanna patch up, I'm a Toy's R Us admin, there's a million exploits at Toys' R Us that I can pwn with!"

Re:make a false save

[myowntrueself]

unknown intruders penetrated xxx, because of security failure yyy you have always complained about, and the only reason you just happened to catch it is because you implented zzz as an afterthought

Of course, if that was an xxx double-penetration everyone would take notice immediately...

Free security ethics tutorials.

[Larryish]

Free tutorials about ethics in IT security are available from http://www.theregister.co.uk/odds/bofh/