Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do? 310
An anonymous reader writes "I am a senior engineer and software architect at a fortune 500 company and manage a brand (website + mobile apps) that is a household name for anyone with kids. This year we migrated to a new technology platform including server hosting and application framework. I was brought in towards the end of the migration and overall it's been a smooth transition from the users' perspective. However it's a security nightmare for sysadmins (which is all outsourced) and a ripe target for any hacker with minimal skills. We do weekly and oftentimes daily releases that contain and build upon the same security vulnerabilities. Frequently I do not have control over the code that is deployed; it's simply given to my team by the marketing department. I inform my direct manager and colleagues about security issues before they are deployed and the response is always, 'we need to meet deadlines, we can fix security issues at a later point.' I'm at a loss at what I should do. Should I go over my manager's head and inform her boss? Approach legal and tell them about our many violations of COPPA? Should I refuse to deploy code until these issues are fixed? Should I look for a new job? What would you do in my situation?"
EASY (Score:5, Insightful)
Re:EASY (Score:5, Insightful)
All that, and it wouldn't hurt to print off copies of those emails (and his responses!) and take those home for personal storage. That way, if poop-meets-fan and they suddenly perp-walk you out (before you have a chance to reach for your backups or suchlike) you still have usable documentation - this is in case any governmental authorities get involved, a lawsuit springs from it, etc..
Printing also gives you the advantage of having backups that you can walk out of the building with and not set off any alarms, since many tightly-regulated companies lock down the use of USB sticks, external hard disks, and etc. (my last employer -- a web-banking software house-- would literally fire you on the spot if you got caught using a geek stick or external drive on their desk/laptop equipment or servers - at least if you do it w/o prior written manager authorization and only on authorized devices.)
To top that off, the printed copies are protection against an 'oops - our retention is only set to two weeks and the backups were corrupted somehow; sorry, sucker!' move. F500 firms generally blow away anything in the inbox that's more than a couple of weeks old anyway, so if you forget to archive it off to a .pst or another folder, it's usually gone by week 3, with no recourse.
Meanwhile, it wouldn't hurt to have a bit of a side conversation with someone in legal (for a start), then escalate it to formal conversations with them via email (again, print those suckers off) should nothing get resolved.
Re:EASY (Score:5, Informative)
Cover your ass BEFORE you talk to somebody in legal. The legal department is there to protect the company and NOT its employees. A good legal dept will say "hey, this employee is trying to reduce our liability" -- but a bad one will say "this employee is a liability" and shoot the messenger.
Re: (Score:2)
Agreed. Always line up the ducks before you go shooting.
Re:EASY (Score:5, Insightful)
Marketing is driving the software?
They don't care about security?
System administration is outsourced?
Quit. Leave now. Take only your jacket. Your adrenals will thank you later.
Re: (Score:3)
Mine does. We have to be because we are a regular target. Every line of code goes through a review process before going live in production. Even a single line change I did today, which was no more complex than changing the spelling of something, was checked by another person when merged to production.
Re: (Score:2)
If you're needing paper backups to CYA for a perp-walk, you can probably find better pay and benefits in a less stressful job at another company.
Re:EASY (Score:4, Insightful)
You don't have to approach them as if you are blowing the whistle on your boss. Just tell them you are concerned about your personal liability should you get caught breaking the law.
Re: (Score:2)
I
Ideal vs. preponderance, do print with all headers (Score:2)
Ideally, one would backup the entire mail store, take a hash, document the whole process in detail, and quickly get a read-only copy on CD to a trusted third party such as an attorney.
More likely, it won't be a problem. A civil case is decided by the preponderance of the evidence - which ever appears most likely. If you have a copy and they don't show a copy of a different version, it's most likely your copy is correct. Of course that depends on which side seems more trustworthy - judges and juries, like
Re:EASY (Score:5, Interesting)
This. My last job was at an after market buy/sell/trade website where I got to take over the whole project mid-rebuild after the previous staff walked out/botched the job/etc. The user base was under constant attack from phishing, fraud, scams doing literally everything you could imagine including hacking accounts. The users complained about it constantly, people were losing trust in the site.
The owners only concerns were that I add new functionality. One of them wanted me to build a blog in the midst of all this. Also were totally willing to sell user information to ad companies if it meant better ad deals.
The core of the entire business was the part that was under attack. Being the only programmer there and realizing that there would not be a job left to complain about if I didn't do what needed to be done, I finally just started doing everything once all attempts at communicating the level of importance had failed. Built and integrated security features that had been present in the previous platform. Developed anti-phishing tools. Added intrusion detection for accounts. Built my own anti-spam system. By the time I was done with it, user complaints had nearly stopped and people were significantly more comfortable. Trading went back up. Crisis was over.
Owners didn't think I was working hard enough.
In the end I collected enough numbers to measurably illustrate the impact that my work had on the company, so I resigned with an awesome resume addition in hand that promptly landed me a muuuuuuuch better job with a better company.
Moral of the story: Do your due diligence. Try to communicate the importance. If you can provide numbers that put things in perspective for somebody more business minded - do it. At the end of the day though, owners who don't understand probably won't care. In this particular situation, if I didn't take the action that I did the company would have gone under. Others may be different though, so you need to be able to measure the cost of a breach in financial terms because that is the ONLY thing the owners will care about.
Outside of that, C.Y.A.
Re: (Score:3, Insightful)
So, how were things at MtGox?
Re:EASY (Score:5, Insightful)
Find another job.
These are not the only problems, just the ones you have seen.
Re: (Score:2)
Indeed. However good you document the lack of progress and the disinterest of the managers, when something happens it will be your fault and you will have a shitload of problems. Leave ASAP.
Re:EASY (Score:4, Interesting)
Indeed. However good you document the lack of progress and the disinterest of the managers, when something happens it will be your fault and you will have a shitload of problems. Leave ASAP.
Yes, agree 100%. Leave ASAP.
The other way to think about this is - any organization is only as good as your boss. If she or he is is veritable shite, the organization is as well. You are not only wasting your time, you are doing the equivalent of hanging out with a bunch of dicey "friends" who might go do something illegal when they are tanked up.
Re:EASY (Score:5, Insightful)
No, don't leave. Find a new job, get an offer, accept it, then leave.
It's extremely unlikely they're going to get into any criminal legal trouble in that time, and even if they do, it won't be traced to you. Get out and just find a new job. Don't try to be a hero: America hates whistleblowers, and there are zero protections for them here. If you reveal the problems, you'll never get a job again, because you'll be seen as a liability. Anyone who's ever blown the whistle on anything will tell you this. It just isn't worth it. The only way to blow the whistle is to do it anonymously somehow, so it doesn't taint you with a reputation as a "rat fink".
Re: (Score:2)
Re: (Score:3, Interesting)
Why? If the pay is good just keep at it. An employee never needs to become emotionally invested in the company. It's perfectly acceptable to go home every day and complain that the job sucks and everyone there is an idiot. A company that has problems means that there will be a lot of work coming down the pipeline to keep you employed.
It is hubris to leave a job because of management problems at the company that don't affect the actual job, because no one is that important and there are no perfectly maan
Re:EASY (Score:4, Insightful)
Re:EASY (Score:5, Informative)
If you don't let me fix them, you will have to take the blame.
Word to the wise. Don't ever tell your boss what they need to do. I've been in the work force for over fifteen years, and this holds true for small business all the way up to large enterprise.
Best case, you've aggravated them and they will retaliate somehow. Worst case, you've aggravated them and they will retaliate somehow.
Re: (Score:2)
Bring boss facts and a tech recommendation, don't (Score:5, Insightful)
I would extend that to say don't ever tell the boss what they need to do in a way that implies they don't know how to do their own job. That can be tricky if you are recommending that they reverse their own decision. Don't "act like you're smarter than the boss".
What has worked for me and people working for me is to bring facts along with a "from a programmer's perspective this option looks attractive" recommendation. Change "programmer's perspective" to whatever is appropriate. For many years I did IT security. CxOs would sometimes ask "should we do this" or "what should we do". I try to remember to answer "that's a business decision that's up to you, but FROM A SECURITY PERSPECTIVE ...".
The idea is to recognize and explicitly state that you are looking at it from a specialist's perspective, focusing mostly on one aspect of it. What you don't know, but the boss may know, as if they are planning on scrapping the entire project next month anyway. I can't tell the boss that we should upgrade X, because as far as I know the entire division that uses X may be getting laid off tomorrow. What I can tell the boss that that an upgrade to X would provide benefits Y and Z, at a cost of A.
Re: (Score:2)
Good advice, but minor addition: CC a fair number of other people. If your boss claims "I never got the message", then you have evidence in other people's in-boxes that at least you made a good-faith attempt to notify your boss and that the email system worked for everybody else.
Further, CC'ing others tends to make people more aware of a concern because they have to also consider how others are going to view the suggestions. Thus, it's a form of psychology.
Final advice: look for another job. Stubborn fools
Re:EASY (Score:5, Insightful)
Potentially good advice, potentially bad.
I work at a large company where this wouldn't fly for one reason: We have a security policy that specifically forbids it. Under the security policy, we have specific guidance for who must be told and, very specifically, that it should not be discussed or divulged beyond that.
So check the policies first, because, just sending a message out to a large group of people may get you in hot water itself for violating policy.
oh and.... fuck that shit entirely, get yourself back on the market, if you have to hammer them to get them to take real security issues seriously, its not worth it.
Re: (Score:2)
if you have to hammer them to get them to take real security issues seriously, its not worth it.
If you can convince them then it is definitely worth it since you will have helped secure the jobs of everyone else at the company. The difficult question is at what point does the boss' disinterest in network security become a threat to everyone's job?
Having said that, the most reliable sign that the situation is not going to change is if your boss treats you like a personal assistant rather than a professional advisor.
Re:B'OH! (Score:4, Insightful)
He said CC and he meant it. Part of the logic (he even said it explicitly) is that the boss sees "Oh crap, now all these other people in the company know what's going on, and will be watching to see what I do about it."
Re: (Score:2)
Here I thought we was using his Credit Card.
Re:B'OH! (Score:5, Insightful)
It's a hard life lesson for geeks to learn that "correct" is not sufficient evidence to convince others to follow your lead in the real world. Of course you should cover your arse, but if that is your only motivation then your no better than the DR. Evil you describe in your post. If you turn the issue into a battle of wills, or a gotcha moment, then you will more than likely lose the argument and it will become more difficult to raise the subject in the future. Nobody benefits from that, least of all the programmer.
OTOH arseholes do exist and if you have one as a boss in a small to medium sized business there is little you can do about it other than to walk out. Don't think of it as quitting, think of it as sacking the boss.
Disclaimer: Developer with 20+yrs experience, computers are easy, people are difficult.
Re: (Score:2)
I'd print them out. That way when you stand in the unemployment line, you'd have something to burn to keep you warm on cold winter's days
A print out may document it, but if the shit really does hit
Re:EASY (Score:5, Informative)
I agree, but I wouldn't be underhand and I certainly wouldn't use read receipts. That looks horribly like the very worst kind of arse covering.
You shouldn't go over your boss's head. Juggling a large number of conflicting priorities is what managers are paid to do, and you won't do yourself or anyone else any favours by undermining your boss's judgement in that way. But you should also consider the risk that she consciously has her own best interests at heart rather than the business's interests. She might have the view that, in the event of a security debacle, she will pretend that the team messed up and failed to follow instructions, and simply ride out the storm. In the meantime, she looks efficient and appears to gets jobs done quickly with a minimum of fuss.
Instead, you should sit down with her and clearly express your concerns. You should then follow up your meeting with a very clear email that summarises the conversation. You need to start with an assertive but non-hostile comment that leaves no-one in any doubt what has happened - something like this, "As we discussed earlier, these are the security issues where I believe that we are falling short of regulatory expectations..." Print out that email and take it home with you.
At that point, your boss has three options. 1. She can fix things. 2. She can escalate up the food chain, so that someone bigger than her can decide whether poor security is really in the company's best interests. 3. At huge personal risk, she can quietly ignore you.
Middle managers tend to have pretty strong survival instincts, so option 3 is very unlikely to to fly. Option 2 is pretty likely, and her manager might well say that security is too expensive/awkward/boring/inconvenient. If that happens, you're probably better off working some place else where you can be proud to turn up in the morning.
Re: (Score:2)
He asked what we would do. In the spirit of that, I would (and have, in a previous job) do what houbou says above, and then take everything to the appropriate higher authority. Considering that things are most probably going to go TU anyway, what do you have to lose? (This assumes you have a high degree of confidence that you understand the issue and your analysis is correct.)
In my case, it caused an internal upheaval which resulted in some things getting fixed, but not enough, and when crap hit fan some
Re: (Score:2)
The short answer is to follow the hierarchy and document everything. Document that you told your boss – that’s CYA.
Then go to your boss’s boss. Try that. Try to be constructive and offer solutions or at least avenues that should be pursued. Don’t offer specifics – that is somebody else job or a project in of itself. If you have to go negative, don’t tear down your boss, tear down the system.
Next step is fuzzier. Maybe your boss’s boss’s boss. Maybe Legal. But
Re:EASY (Score:4, Interesting)
This is the best advice. I will add a couple of things.
DO NOT GO AROUND YOUR BOSS. That will get you fired. Raise the issues in email, document them and move on. It is ultimately your boss' responsibility, and the responsibility of people above your boss. Unless your title is CSO or something similar, this is not your problem.
If you want to help your boss, do a risk assessment. Detail what you perceive to be the risks. Detail the potential problems of not doing anything. More importantly, detail what you think the potential solutions are, and what is involved in implementing them. This is important because you want to be constructive, and want to prove that you have put some thought into making things better, and that you are not just a whiner.
Your success or failure will depend on how you present it. The tack I would take with your boss would be something along the lines of, "Security is obviously not a high priority around here. However, I have recognized these risks that expose the company to potential liabilities under COPPA. Here are my suggestions. Now that I have documented these, I can stop thinking about them and focus on the other priorities that our team has to address."
Keep in mind, you are not going to make any friends doing this. Once it is in email, they have to act on it. To not act on it makes them liable. Keep in mind, it is not your job to do your boss' job. Unless your job description specifically says, "Mitigate security vulnerabilities in code before deploying to production.", this is not your job. Your job is to do what your boss tells you to do, just as her job is to do what her boss tells her to do, all the way up the chain to the C-level executives and board of directors.
Re:It won't be a problem until it's a problem... (Score:4, Insightful)
Leave, ASAP.. quit:
it is a problem of ethics.. don't work in an environement that does not adjust to your ethics. That's it.
submit to legal department (Score:2)
Explain the possibility of liability. Let them investigate the risks. Problem will then resolve itself from the top down.
Re: (Score:2)
Re: (Score:2)
That's, sadly, the extent of his employer's financial liability then and his manager is making the financially sensible choice. If the laws aren't in favor of the customer enough to make an incentive, then that's everyone's problem, not the OP's.
Re: (Score:2)
We're in IT; the odds are never in our favor.
Re: (Score:2)
Don't forget that an action that saves a few thousand dollars, that has a 10% chance of costing a million, is still a very bad risk, statistically speaking. That risk/loss multiplier is frequently a game-changer. We don''t buy insurance because we think we're going to run into a tree, we buy insurance because we can't afford it if we do - the odds of it happening aren't high, but aren't small enough to be able to ignore, and
Re: (Score:2)
Well, telling the company about itself isn't going to annoy itself. Telling federal or state officials might, but then... whistle-blower protection laws, suckers(you still secretly get blacklisted).
Who is 'itself' (Score:2)
Go on .. tell us who (Score:5, Funny)
And I guarantee that all your problems will be solved very quickly by the dedicate volunteers who visit this site.
But you may need to brush up your resume first.
Re: (Score:2)
or to put it another way (Score:2, Interesting)
Re: (Score:3)
The submitted did.
A Fortune 500 company for anyone with kids. That list is about 20 long - it would be very easy to work it out from the submission if you were that way inclined.
Re:Go on .. tell us who (Score:4, Interesting)
Well, here's the list:
http://money.cnn.com/magazines/fortune/fortune500/2013/full_list/ [cnn.com]
They have a website and mobile apps and are a household name for people with kids. Hmm. How about Apple?
Or maybe #66, Walt Disney. Or Time Warner. Or General Mills, or Kellogg. Or Toys R Us. Or GameStop.
Or depending on how much you like having your kids, maybe Las Vegas Sands.
Or depending on how much you liked making your kids, maybe Pfizer.
Call Elbonia (Score:5, Funny)
There are some newly unemployed hackers in Elbonia, made deaf and blind by viewing Wally's browsing history. Be a good sport and hire a few of them to break into your website. They are cheap and, being deaf and blind, would not be able to actually see anything useful for identity theft, but will sure be able to get your boss to see the light.
advise & document (Score:2)
Don't ask /. (Score:5, Interesting)
I'd start by not advertising to a large public forum containing a lot of people with security exploit experience and motive about your companies web security vulnerabilities where your synopsis easily reduces the attack vector to significantly less than 500 potential targets. How many fortune 500 companies exist that target kids, let alone ones that have a female web software development manager? Also, it should be fairly easy for somebody in the industry to discover which fortune 500 kid targeted companies outsource their system administration.
At this point, I would do nothing. If they aren't hacked within a week after you posting this article then the security vulnerabilities don't really matter.
Re:Don't ask /. (Score:5, Insightful)
At this point, I would do nothing. If they aren't hacked within a week after you posting this article then the security vulnerabilities don't really matter.
Maybe this was the strategy of OP? In that case, brilliant!
Re: (Score:3)
If that was the OP's strategy, then (his|her) brilliance is inversely proportional to the terms of the NDA s?he may have signed on employment.
Re: (Score:2)
So Disney?
Re: (Score:2)
Paper trail (Score:5, Insightful)
Plain and simple, keep your old emails, offline. If you get cornered for a conversation in person or phone, no problem... just dash off an email stating "You know how you were telling me at lunch not to worry about the security vulns? This still really bothers me. There's got to be a way to mitigate it without affecting deadlines. Imagine the missed deadlines if we lose our infrastructure to an easy hack."
Don't sound like a troublemaker, but rather, a concerned worker.
Make it clear you're the professional, and in your professional opinion and that of industry standards, security is sorely lacking. Itemize the issues you have in an email. Keep that email.
Support their decisions, and live with it.
Finally, if the shit hits the fan and anyone points fingers at you, refer them to that email. If they fire you for it, that's when you become a troublemaker.
Cover your own arse. (Score:2)
Cover your own arse. Document that you were the one reporting the problems and violations. You may lose your job anyway. Prepare for alternative employment. This is always easier while you are still employed. Once you have a reasonable plan for alternative employment you can start making demands. You may either be the hero, or you may end up in the other job.
Up to you (Score:2)
If your conscious wont allow for that... ask
Re: (Score:3)
I had a similar experience many years ago. The very first test I did with every build was press both hands on a bunch of keys. It almost always locked the system up completely. So I'd reject it. The lead programmer (who as an idiot) kept saying, "don't do that." My response was, "that's a cat jumping on the keyboard, or a tired person accidentally leaning on the keyboard. It's something that will happen. And when it does, it locks the system so tight you have to do a hard reboot." BTW, this was back
Approach the CHAIRMAN not the CEO (Score:2)
Outsourcing (Score:4, Funny)
However it's a security nightmare for sysadmins (which is all outsourced)
So it is the security nightmare that is outsourced? Finally someone got outsourcing right.
Prove It (Score:2)
Can you get budget to hire a security penetration tester? There are companies which will do penetration testing and then give you a report documenting all of the vulnerabilities they found. With that in hand you have a much stronger case to convince management to fix the problem because now it is a highly qualified security expert that has documented explicit problems.
Re:Prove It (Score:4, Interesting)
How serious is it really? (Score:2)
So let's say it gets hacked. Are we talking minor embarrassment, or serious privacy violations? All big companies patch stuff all the time, after they deploy. Adobe probably has a big list of things that need fixing when they get around to it, which maybe explains why there are constantly updates.
Integrity Hotline (Score:5, Interesting)
I would make sure that the correspondence you send to your legal department includes copies of some of the email chains you have with your managers, peers, etc... raising the concerns. Be sure to specify any regulations you suspect are being violated. If the legal team determines there is concern you can bet that change will happen. If they determine otherwise, then you've done your due diligence and reported it within the means your company gives for you to report it.
Re: (Score:2)
In general, if you absolutely know that you are in the right, don't report anonymously. If you report as yourself you have protection against retaliation. If you report anonymously, those protections go away because the ethics/integrity dept can't show that there is retaliation without knowing that it was you that reported the misconduct.
how much money can be lost? (Score:2)
what's the worst thing that can happen if the site is hacked? any CC info? how much money will be lost
not every site and data should be treated like fort knox. keep your emails for CYA purposes and keep doing what you are doing
Re: (Score:3)
Jail is the worst that can happen. Remember, he said "COPPA". That's a federal law regulating how websites deal with children.
Whitepaper (Score:2)
I wrote a memo laying out all the issues in layman's terms and proposing solutions. Then I gave it to my boss. A little while later with no further movement on the problem, I quit.
A year passed and the system was hacked. Publicly. Embarrassingly. Folks here on Slashdot asked what the sysadmins could possibly have been thinking. So, I published a copy of the memo I had written.
Your mileage may vary.
memo (Score:2)
I didn't "lose" the job any more than I "lose" a defective computer when I throw it in the trash. Indeed it would be very hard to consider it a loss when six months later I was earning $10k more per year.
Nor did I put myself in any legal jeopardy. I'll spare you the lengthy analysis.
Best way to handle the problem? Burning bridges rarely is. But sometimes it has a moral righteousness that's hard to defy.
Contact your companies Compliance Officer (Score:3, Insightful)
A fortune 500 company that deals with any area that has Federal compliance laws like COPPA, HIPPA, etc should have a compliance officer. They would be the person to contact for issues like this and contacting them should address all your issues.
1) It gives a paper trail showing you raised the issue and should prevent you from being the scape goat when something happens.
2) It should give you someone who understands the relative compliance laws and the risks associated with not complying.
3) The compliance officer should then have the juice to get something done if they determine this is a legitimate issue. If they determine it isn't an issue then their neck is on the line not yours.
This happened to me. Please read the following (Score:3, Interesting)
This happened to me when I was contracting for the USDA. Developers were pulling SQL statements in url strings. No... I'm not kidding. Literally "SELECT * FROM .
1) keep a copy of every email you sent.
2) evaluate the situation from an objective point of view. Should security be breached... what would be the possible fallout?
If personal information loss is part of this, immediately take your concerns to your legal team. In my case, I was told by several individuals it was not a problem and it was safe followed by my supervisor who told me it would be fine. I was okay with it until I realized I could pull anyone private information this way including social security numbers.
The legal team was very easy to work with. We had to self report 56 violations and my supervisor and two developers were terminated.
In this case I follow my uncle's advice (Score:2)
A union would be helpful in this situation (Score:4, Insightful)
But given that we have the IT professional community that we have:
Incidentally, your case neatly demonstrates the near-uselessness of the IEEE-ACM Software Engineering Code of Ethics [computer.org], which is very long on what the ethical obligations of a software engineer are, but has nothing useful to say about what you should do where others are ordering you to act unethically.
Think of it as banking overtime (Score:2)
Explain clearly how easy it is to breach (Score:2)
Step by step, so a non-technical type can understand just what the issue is. "Security" for some folks is a vague amorphous issue with no real consequence. I've been stunned by some of the malware and lack of security I've seen on people's computers. They don't "get it." They don't understand the risk and the damage.
Help your boss "get it" if that's the issue. Explain the consequences of a breach, and the damage to the brand. Show with other examples in the media.
My $0.02.
Document, do nothing (Score:4, Informative)
Document the issues so that it is clear you are aware and tried to do something about them. Bring them up verbally to your boss - without being obnoxious about it. Once you've done those than you need to the hardest thing of all which is to let it go. If you make too big of a deal about it you will be seen as a troublemaker. If you do nothing you will be seen as complicit or incompetent if there is a violation.
Now in certain industries you may have requirements (possibly enforced by law) that require you do to more. Most of the time that isn't the case and you have to let it go and move on with other things. Often times disasters are the only way that people higher up the food chain can and will learn.
I recall when Nimda was making it's rounds in 2000. I was aware of the worm, had the patches downloaded, instructions printed and had requested permission to patch servers. Permission was denied. I asked again, it was denied again. I had awareness of the issue, my statement of the severity and denial all in writing.
I watched a fortune 25 company go down for 2 days and lose $100 million dollars and countless workers get sent home when their facilities were rendered useless. As a result an inflexible policy was changed and any number of people were fired or disciplined. Because I had documented everything I was just about the one person nobody faulted.
Wild guess (Score:2)
Drop the dime (Score:2)
Who is the business owner of the app? (Score:2)
You should include the business owner on your emails to your boss outlining what is wrong AND how to fix the problem. Include in the what is wrong part, why the app is vulnerable.
Since you state that you came into the migration towards the end of the process, state that you are just now understanding that these issues even exist.
signs (Score:2)
On the technical side (Score:2)
So you've got a vulnerable web app that can't be fixed with new vulnerabilities being introduced all the time.
That's what web application firewalls are designed for. Installing one takes less schedule time than doing things right would take, and it might work better than nothing.
Though of course this is not a technical problem, it's easier to paper over a people problem with a technical patch than it is to fix people.
Escape! (Score:2)
Risk Cost Assessment (Score:2)
Probably the task furthest from experience as an engineer/architect, but when it's not enough to tell them (boss, executives, legal) that it's a "potentially bad thing," also include some dollar figures.
As a tangent, you should also always have the right to contact Legal without supervision. In this case, you could even tell that person in the legal department you're doing a risk-impact report (without lying) and need an estimate for how much it would cost for the company to legally defend or settle a class
Re: (Score:2)
Insert obligatory "Think of the children!!!!" where needed.
Read this study and make your own analogy (Score:2)
Tell infosec. (Score:2)
Surely there's a infosec or security group at your company. Let them know. Otherwise, fire a note to your boss and cc'd your second level manager.
Don't have the email be one where you are blaming your boss, but if the security issues are beyond your manager's command and control span, then it's probably under your next level manager/director. Something as simple as "I've noticed some odd security practices taking place within the application... what group is responsible for setting the methodology...?"
So
Sell that shit (Score:2)
Sell that shit.
Also, FUCKING Name Names.
Contact Ethics line, Internal audit, or Corp legal (Score:3)
Then there is an code of ethics violation reporting mechanism. Contact them, contact internal audit, or contact corporate legal.
Reporting to the code of ethics violation provides you the strongest protection, because there is a stated policy that you cannot be retaliated against (still no guarantee that you will not be, just that it will help you in the subsequent multi-million dollar lawsuit you can bring). Make sure you mention the violation of COPPA and ask THEM to contact corp legal.
Also understand that you will not be seen as a hero. You will be branded as a troublemaker, so better be ready to switch jobs.
(Yes, I have been in a very similar position)
PS: I see some advice about documenting your interaction with the manager for the time when the shit hits the fan. Trust me, will not help you a whit if it came to that.
Quit (Score:2)
Ask Legal for what compliance means (Score:2)
Lots of what other people have said is good.
Approach legal and tell them about our many violations of COPPA?
Ask legal what framework you should be working under, and what laws and compliance are going to be required as part of doing your job. You aren't really sure what your personal obligations are in this regard, because you understand that there are regulations but you aren't sure who is responsible for implementing what exactly, and you've gotten conflicting or confused responses from your superiors.
One suggestion (Score:3)
Assuming the website really violates COPPA, Google "COPPA violations" and grab some links to articles showing where the FTC sued over such violations and got big settlements. Then email those links to the boss (keeping copies of all this as others have suggested) and say something like "these guys got sued by the FTC and had to pay some big $, do you want to see our company get sued?"
If the boss takes an "I dont care" attitude or ignores the emails, go to the legal department or compliance officers with the same thing and say "I pushed this to my superiors and they chose to ignore it, I dont want to see our company held liable by the FTC, what should I do about it?"
If that doesn't work, consider packing up and leaving. Any company where the legal department doesn't care that the company is violating such a law and is one tip-off away from an FTC investigation (which could be a PR nightmare especially for a site that targets kids specifically) isn't a good company to work for.
I'd leave Microsoft (Score:5, Funny)
Re:Find a new job (Score:4, Insightful)
Or just care less.
Re: (Score:2)
Re:Find a new job (Score:4, Insightful)
Seconded. This is a pile of manure just waiting to fall onto someone as a scapegoat, and it might be that the application is already compromised.
Approaching legal won't do the trick. They will immediately turn around and tell the boss that so and so have gone over their head... and this won't be good for future (or present) job prospects.
Were I in your shoes, I would be honing my LinkedIn profile, updating the resume, maybe shooting for a certificate or two for keywords, and starting the hunt.
In previous IT jobs, I've heard the mantra, "security has no ROI" plenty of times, followed by, "Geek Squad can fix it if we get hacked" when I ask the obvious followup question. When you hear that song and dance, run.
Re: (Score:2)
Yes and no... nowadays, with mandatory reporting in some cases, and every newly unemployed developer on the planet able to post to any number of disclosure lists, I'm not seeing too many management types left these days that would take such a stupid risk.
Re:Da fuq? (Score:5, Insightful)
He knows what his problem is. Why is your comment rated insightful?
Re: (Score:3)
This is a terrible idea. I strongly oppose this approach.
Re: (Score:2)
I'd vote for moving on. Companies can be quite vindictive and screw you over with any future employers. They have even been known to sue whistle-blowers.
Re: (Score:3)
Re: (Score:2)
If you're going to report the problems to your boss's boss, I would do it after you resigned - and make sure to include a clear declaration that you are not going to disclose the problems to any third party.