Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do?

Posted by Soulskill on from the red-alert dept.

An anonymous reader writes "I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids. This year we migrated to a new technology platform including server hosting and application framework. I was brought in towards the end of the migration and overall it's been a smooth transition from the users' perspective. However it's a security nightmare for sysadmins (which is all outsourced) and a ripe target for any hacker with minimal skills. We do weekly and oftentimes daily releases that contain and build upon the same security vulnerabilities. Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department. I inform my direct manager and colleagues about security issues before they are deployed and the response is always, 'we need to meet deadlines, we can fix security issues at a later point.' I'm at a loss at what I should do. Should I go over my manager's head and inform her boss? Approach legal and tell them about our many violations of COPPA? Should I refuse to deploy code until these issues are fixed? Should I look for a new job? What would you do in my situation?"

10 of 310 comments (clear)

  1. Don't ask /. by Dishwasha · · Score: 4, Interesting

    I'd start by not advertising to a large public forum containing a lot of people with security exploit experience and motive about your companies web security vulnerabilities where your synopsis easily reduces the attack vector to significantly less than 500 potential targets. How many fortune 500 companies exist that target kids, let alone ones that have a female web software development manager? Also, it should be fairly easy for somebody in the industry to discover which fortune 500 kid targeted companies outsource their system administration.

    At this point, I would do nothing. If they aren't hacked within a week after you posting this article then the security vulnerabilities don't really matter.

  2. Re:EASY by MillerHighLife21 · · Score: 5, Interesting

    This. My last job was at an after market buy/sell/trade website where I got to take over the whole project mid-rebuild after the previous staff walked out/botched the job/etc. The user base was under constant attack from phishing, fraud, scams doing literally everything you could imagine including hacking accounts. The users complained about it constantly, people were losing trust in the site.

    The owners only concerns were that I add new functionality. One of them wanted me to build a blog in the midst of all this. Also were totally willing to sell user information to ad companies if it meant better ad deals.

    The core of the entire business was the part that was under attack. Being the only programmer there and realizing that there would not be a job left to complain about if I didn't do what needed to be done, I finally just started doing everything once all attempts at communicating the level of importance had failed. Built and integrated security features that had been present in the previous platform. Developed anti-phishing tools. Added intrusion detection for accounts. Built my own anti-spam system. By the time I was done with it, user complaints had nearly stopped and people were significantly more comfortable. Trading went back up. Crisis was over.

    Owners didn't think I was working hard enough.

    In the end I collected enough numbers to measurably illustrate the impact that my work had on the company, so I resigned with an awesome resume addition in hand that promptly landed me a muuuuuuuch better job with a better company.

    Moral of the story: Do your due diligence. Try to communicate the importance. If you can provide numbers that put things in perspective for somebody more business minded - do it. At the end of the day though, owners who don't understand probably won't care. In this particular situation, if I didn't take the action that I did the company would have gone under. Others may be different though, so you need to be able to measure the cost of a breach in financial terms because that is the ONLY thing the owners will care about.

    Outside of that, C.Y.A.

    --
    "Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson
  3. Integrity Hotline by MNNorske · · Score: 4, Interesting

    If you're working for a Fortune 500 company there likely will be some form of internal integrity hotline. I know my own corporation has one. Document your concerns and contact them. I recently had to report a concern raised about one of the major offshore contractors we use to our integrity hotline and it was actually a very good experience from my side. After submitting the issue it took a few days but an investigator from our legal department contacted me and we had a phone conversation, and then I forwarded him some additional details I had held back from the initial correspondence. I did that mostly to protect an individual from the contractor who brought the concerns to my attention.

    I would make sure that the correspondence you send to your legal department includes copies of some of the email chains you have with your managers, peers, etc... raising the concerns. Be sure to specify any regulations you suspect are being violated. If the legal team determines there is concern you can bet that change will happen. If they determine otherwise, then you've done your due diligence and reported it within the means your company gives for you to report it.

  4. This happened to me. Please read the following by Anonymous Coward · · Score: 3, Interesting

    This happened to me when I was contracting for the USDA. Developers were pulling SQL statements in url strings. No... I'm not kidding. Literally "SELECT * FROM .

    1) keep a copy of every email you sent.
    2) evaluate the situation from an objective point of view. Should security be breached... what would be the possible fallout?

    If personal information loss is part of this, immediately take your concerns to your legal team. In my case, I was told by several individuals it was not a problem and it was safe followed by my supervisor who told me it would be fine. I was okay with it until I realized I could pull anyone private information this way including social security numbers.

    The legal team was very easy to work with. We had to self report 56 violations and my supervisor and two developers were terminated.

  5. or to put it another way by frovingslosh · · Score: 1, Interesting

    Or to put it another way, nothing will get fixed as long as the software architect is as gutless as his management and just posts as an anonymous coward and helps conceal the problem. Sure, you don't have to commit carer suicide by saying "I'm the guy in the third office on the east wall and I've been reporting all of these problems to Bob but he just lets them slide, here's how to hack our toys", but you could put minimal effort into letting the problems slip out and help the public become aware of them. The hackers likely know about them anyway, management has decided that they don't care, as long as the public doesn't know. When the public knows they will become interested in fixing it.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  6. Re:Prove It by u38cg · · Score: 3, Interesting

    A lot of pen-tester companies will do some initial work for free. At my work, the company who was asked to present to the responsible committee went round each person and handed out a little slip of paper - with their password on. They got retained.

    --
    [FUCK BETA]
  7. Re:EASY by asliarun · · Score: 3, Interesting

    Indeed. However good you document the lack of progress and the disinterest of the managers, when something happens it will be your fault and you will have a shitload of problems. Leave ASAP.

    Yes, agree 100%. Leave ASAP.

    The other way to think about this is - any organization is only as good as your boss. If she or he is is veritable shite, the organization is as well. You are not only wasting your time, you are doing the equivalent of hanging out with a bunch of dicey "friends" who might go do something illegal when they are tanked up.

  8. Re:Go on .. tell us who by amicusNYCL · · Score: 3, Interesting

    Well, here's the list:

    http://money.cnn.com/magazines/fortune/fortune500/2013/full_list/

    They have a website and mobile apps and are a household name for people with kids. Hmm. How about Apple?

    Or maybe #66, Walt Disney. Or Time Warner. Or General Mills, or Kellogg. Or Toys R Us. Or GameStop.

    Or depending on how much you like having your kids, maybe Las Vegas Sands.

    Or depending on how much you liked making your kids, maybe Pfizer.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  9. Re:EASY by Darinbob · · Score: 2, Interesting

    Why? If the pay is good just keep at it. An employee never needs to become emotionally invested in the company. It's perfectly acceptable to go home every day and complain that the job sucks and everyone there is an idiot. A company that has problems means that there will be a lot of work coming down the pipeline to keep you employed.

    It is hubris to leave a job because of management problems at the company that don't affect the actual job, because no one is that important and there are no perfectly maanged companies out there. Yes it's ok to leave because the management problems are causing lots of stress or the hours are too long or something that affects you personally.

    Leaving the company will not fix the problems, but will create a lot of headaches while finding a new job and wasting time learning the new job once there.

    The only important thing to do here is to make sure that you inform bosses of any legal issues so that you cover your ass and don't look complicit, but that's easy to do.

  10. Re:EASY by dave562 · · Score: 3, Interesting

    This is the best advice. I will add a couple of things.

    DO NOT GO AROUND YOUR BOSS. That will get you fired. Raise the issues in email, document them and move on. It is ultimately your boss' responsibility, and the responsibility of people above your boss. Unless your title is CSO or something similar, this is not your problem.

    If you want to help your boss, do a risk assessment. Detail what you perceive to be the risks. Detail the potential problems of not doing anything. More importantly, detail what you think the potential solutions are, and what is involved in implementing them. This is important because you want to be constructive, and want to prove that you have put some thought into making things better, and that you are not just a whiner.

    Your success or failure will depend on how you present it. The tack I would take with your boss would be something along the lines of, "Security is obviously not a high priority around here. However, I have recognized these risks that expose the company to potential liabilities under COPPA. Here are my suggestions. Now that I have documented these, I can stop thinking about them and focus on the other priorities that our team has to address."

    Keep in mind, you are not going to make any friends doing this. Once it is in email, they have to act on it. To not act on it makes them liable. Keep in mind, it is not your job to do your boss' job. Unless your job description specifically says, "Mitigate security vulnerabilities in code before deploying to production.", this is not your job. Your job is to do what your boss tells you to do, just as her job is to do what her boss tells her to do, all the way up the chain to the C-level executives and board of directors.