Slashdot Mirror
Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do?
An anonymous reader writes "I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids. This year we migrated to a new technology platform including server hosting and application framework. I was brought in towards the end of the migration and overall it's been a smooth transition from the users' perspective. However it's a security nightmare for sysadmins (which is all outsourced) and a ripe target for any hacker with minimal skills. We do weekly and oftentimes daily releases that contain and build upon the same security vulnerabilities. Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department. I inform my direct manager and colleagues about security issues before they are deployed and the response is always, 'we need to meet deadlines, we can fix security issues at a later point.' I'm at a loss at what I should do. Should I go over my manager's head and inform her boss? Approach legal and tell them about our many violations of COPPA? Should I refuse to deploy code until these issues are fixed? Should I look for a new job? What would you do in my situation?"
Cover your ass BEFORE you talk to somebody in legal. The legal department is there to protect the company and NOT its employees. A good legal dept will say "hey, this employee is trying to reduce our liability" -- but a bad one will say "this employee is a liability" and shoot the messenger.
I agree, but I wouldn't be underhand and I certainly wouldn't use read receipts. That looks horribly like the very worst kind of arse covering.
You shouldn't go over your boss's head. Juggling a large number of conflicting priorities is what managers are paid to do, and you won't do yourself or anyone else any favours by undermining your boss's judgement in that way. But you should also consider the risk that she consciously has her own best interests at heart rather than the business's interests. She might have the view that, in the event of a security debacle, she will pretend that the team messed up and failed to follow instructions, and simply ride out the storm. In the meantime, she looks efficient and appears to gets jobs done quickly with a minimum of fuss.
Instead, you should sit down with her and clearly express your concerns. You should then follow up your meeting with a very clear email that summarises the conversation. You need to start with an assertive but non-hostile comment that leaves no-one in any doubt what has happened - something like this, "As we discussed earlier, these are the security issues where I believe that we are falling short of regulatory expectations..." Print out that email and take it home with you.
At that point, your boss has three options. 1. She can fix things. 2. She can escalate up the food chain, so that someone bigger than her can decide whether poor security is really in the company's best interests. 3. At huge personal risk, she can quietly ignore you.
Middle managers tend to have pretty strong survival instincts, so option 3 is very unlikely to to fly. Option 2 is pretty likely, and her manager might well say that security is too expensive/awkward/boring/inconvenient. If that happens, you're probably better off working some place else where you can be proud to turn up in the morning.
If you don't let me fix them, you will have to take the blame.
Word to the wise. Don't ever tell your boss what they need to do. I've been in the work force for over fifteen years, and this holds true for small business all the way up to large enterprise.
Best case, you've aggravated them and they will retaliate somehow. Worst case, you've aggravated them and they will retaliate somehow.