Example #1 of ??? Explaining why I dislike my coworkers.

VP: VP of Engineering; my boss’s boss. Founded the company, picked the CEO, etc.
LD: Lead dev; literally wrote the first line of code at the company, and has been here ever since.
CISO: Chief Information Security Officer — my boss when I’m doing security work.

Three weeks ago (private zoom call):
> VP to me: I want you to know that anything you say, while wearing your security hat, goes. You can even override me. If you need to hold a release for whatever reason, you have that power. If I happen to disagree with a security issue you bring up, that’s okay. You are in charge of release security. I won’t be mad or hold it against you. I just want you to do your job well.

Last week (engineering-wide meeting):
> CISO: From now on we should only use external IDs in urls to prevent a malicious actor from scraping data or automating attacks.
> LD: That’s great, and we should only use normal IDs in logging so they differ. Sounds more secure, right?
> CISO: Absolutely. That way they’re orthogonal.
> VP: Good idea, I think we should do this going forward.

Last weekend (in the security channel):
> LD: We should ONLY use external IDs in urls, and ONLY normal IDs in logging — in other words, orthogonal.
> VP: I agree. It’s better in every way.

Today (in the same security channel):
> Me: I found an instance of using a plain ID in a url that cancels a payment. A malicious user with or who gained access to <user_role> could very easily abuse this to cause substantial damage. Please change this instance and others to using external IDs.
> LD: Whoa, that goes way beyond <user_role>
> VP: You can’t make that decision, that’s engineering-wide!

Not only is this sane security practice, you literally. just. agreed. with this on three separate occasions in the past week, and your own head of security also posed this before I brought it up! And need I remind you that it is still standard security practice!?

But nooo, I’m overstepping my boundaries by doing my job.

Fucking hell I hate dealing with these people.

  • 14
    WTF are they butthurting about? You were doing your job, you didnt take any decision, you just did what they told you. How can they be so blind to that? Do they really need you to quote them or post a screenshot?
  • 6
    Where do you find these employers?!

  • 1
    He probably agreed bc hes too stupid to understand the strategy and wanted to nod. It sounds like a dead obvious issue to me and I’m not a security guru...actually my security knowledge sucks balls. Imagine getting hacked and watching the company crash bc some corporate asshole didn’t take advice from a “lowly peon” like us. Fuck, these people you work with will suffer in other companies where you actually have to be good
  • 4
    Simple. Send them email headed "severe risk found/potential data breach" and explian the problem there.
    They ignore. Nothing happens. all good.
    They ignore. Shit hits the fan. You have an email to cover your ass. All good.
    They don't ignore. Shit gets fixed. All good.

    Thats about it.You did yoir job, they fucked up.
  • 1
    Where you fucked up is you didn’t stroke their ego all the way along while reporting the problem.

    /s kinda. Sometimes it takes some awful brown nosing to get something important done.
  • 5
    @jeeper They literally agreed to it in the meeting the previous week, and like five messages above in the channel where they yelled at me. Unless their screens were tiny, their messages saying we should do the thing we’re still on their screens while telling me I can’t make the decision to do the thing.

    @magicMirror It’s all documented in Slack and on the release Audit ticket in Jira with a link to the fix task.

    @jeeper Pm you’re probably right. I really feel like the cool kids club at work are all stern on these things, parrot one another, and demand everyone else follow better practices — and that this maintains their position as a cool kid. But as soon as someone else says these same things on their own, they’re kicked off the tree house ladder and banned from ever climbing it again.
  • 3
    @AlmondSauce California, or managers who moved out of California.
  • 3
    Now they’re acting like it was their idea all along and taking the credit.

  • 1
  • 3
    This sounds like they have a gender issue. They’re probably men who feel knocked off their pedestal when hearing good suggestions from a woman. Suggestions they couldn’t muster themselves. I say this as a male myself, btw. They’re probably sexists and racists pretending to be civil rights gurus for hugs kisses and social media gold
  • 2
    @d-fanelli There absolutely are...
  • 3
    VP: You are in total and complete charge

    Gotta love this type of people who don’t stand by their words. This is cowardice and mistrust.
  • 0
    Wow.... How like you being working in this company?
  • 0
    @TeachMeCode woah! Easy on the overhyped buzzwords there!
Add Comment