We’ve All Had This Meeting

The Daily WTF details a meeting wherein a security consultant encounters a group of developers and technical stakeholders who don’t mind problems in their application for the financial industry:

“All I had to do was modify the cookie and the lock file, and…”

“That’s stupid. Why would anyone ever do that?” His boss, Paul, shot a glare at him.

“I don’t know,” Jim said, “curiosity? Ignorance? Malice?”

“We can’t guard against malice.”

“We can’t guard against malice?!” Jim’s jaw dropped. Guarding against malice was the whole point, and the entire reason that the company existed. This would’ve been excusable if it came from a PHB, but this was a very experienced engineer.

“Guarding against malice is exactly what we’re here to do! If we’re not going to guard against malice, we might as well just put post-it notes on the data that say ‘Please Don’t Look.’”

A young developer scoffed. “You can’t put post-it notes on data!” Several people around the table exchanged smirks.

Jim exhaled deeply and could feel another wrinkle forming near his eye and another tuft of hair turning gray. “Look, this is what hackers do. They dig around and find all the loose threads and try to use those to exploit the system. If I’m capable of doing it, then certainly a professional hacker paid by a government or well-funded competitor can.”

“But if they wanted to get to the database, they’d just have to do ‘psql –d xxxxxx-db-name’ and they’re in. Like I said, we can’t protect against malice!”

Jim briefly wondered if he looked half as horrified as Mike did at that moment. “You… didn’t encrypt the database?!”

“…No…”

Our epilogue, unwritten in the linked piece, is that resultant failure is then QA’s fault.

No Responses to “We’ve All Had This Meeting”

  1. calkelpdiver Says:

    I would have 2 done things after those meetings. First, start drinking heavily. Second, document the hell out of the test findings and keep physical copies of them and any emails pertaining to it. Then keep them offsite for safe keeping.

    Guess those guys don’t understand the GOOB Zone principle, because they just entered it. GOOB == Going Out of Business.

  2. The Director Says:

    Bad developers are like viruses. After this particular company goes down, its poorly trained and worst-practice-adherent team will scatter to the winds to infect a number of other companies with the same ignorance.

  3. calkelpdiver Says:

    Director,

    Why do I feel we need to be like the Agents in the Matrix. “Developers are not actually mammals. Mammals naturally live in balance with their environments. But there is an organism that developers are like… a Virus. And we testers are the cure.”

    Sorry couldn’t resist.

  4. The Director Says:

    Sadly, the metaphor breaks down. No developers, no testers. So we’re sort of like parasites on viruses.

    But we do get fat off of the bad developers, don’t we?


wordpress visitors