Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Simple. Send them email headed "severe risk found/potential data breach" and explian the problem there.
They ignore. Nothing happens. all good.
They ignore. Shit hits the fan. You have an email to cover your ass. All good.
They don't ignore. Shit gets fixed. All good.
Thats about it.You did yoir job, they fucked up. -
@jeeper They literally agreed to it in the meeting the previous week, and like five messages above in the channel where they yelled at me. Unless their screens were tiny, their messages saying we should do the thing we’re still on their screens while telling me I can’t make the decision to do the thing.
@magicMirror It’s all documented in Slack and on the release Audit ticket in Jira with a link to the fix task.
@jeeper Pm you’re probably right. I really feel like the cool kids club at work are all stern on these things, parrot one another, and demand everyone else follow better practices — and that this maintains their position as a cool kid. But as soon as someone else says these same things on their own, they’re kicked off the tree house ladder and banned from ever climbing it again. -
@AlmondSauce California, or managers who moved out of California.
-
@TeachMeCode woah! Easy on the overhyped buzzwords there!
Related Rants
Did you say security?
Example #1 of ??? Explaining why I dislike my coworkers.
[Legend]
VP: VP of Engineering; my boss’s boss. Founded the company, picked the CEO, etc.
LD: Lead dev; literally wrote the first line of code at the company, and has been here ever since.
CISO: Chief Information Security Officer — my boss when I’m doing security work.
Three weeks ago (private zoom call):
> VP to me: I want you to know that anything you say, while wearing your security hat, goes. You can even override me. If you need to hold a release for whatever reason, you have that power. If I happen to disagree with a security issue you bring up, that’s okay. You are in charge of release security. I won’t be mad or hold it against you. I just want you to do your job well.
Last week (engineering-wide meeting):
> CISO: From now on we should only use external IDs in urls to prevent a malicious actor from scraping data or automating attacks.
> LD: That’s great, and we should only use normal IDs in logging so they differ. Sounds more secure, right?
> CISO: Absolutely. That way they’re orthogonal.
> VP: Good idea, I think we should do this going forward.
Last weekend (in the security channel):
> LD: We should ONLY use external IDs in urls, and ONLY normal IDs in logging — in other words, orthogonal.
> VP: I agree. It’s better in every way.
Today (in the same security channel):
> Me: I found an instance of using a plain ID in a url that cancels a payment. A malicious user with or who gained access to <user_role> could very easily abuse this to cause substantial damage. Please change this instance and others to using external IDs.
> LD: Whoa, that goes way beyond <user_role>
> VP: You can’t make that decision, that’s engineering-wide!
Not only is this sane security practice, you literally. just. agreed. with this on three separate occasions in the past week, and your own head of security also posed this before I brought it up! And need I remind you that it is still standard security practice!?
But nooo, I’m overstepping my boundaries by doing my job.
Fucking hell I hate dealing with these people.
rant
security
it’s a great idea until root says it
idiots