Nothing like client requesting "Hey can you add a virus scan for every goddamn file in the pipeline ? (We don't know what antivirus software you can use, neither do we know what are the consequences of this virus scan failing. We also don't know why a system admin is not doing this server wide instead of a software Dev doing it for this specific individual component. Heck we don't even know why do we need the virus scan in the first place) You might need to think 'outside the box'. Let's hope this is done by 12th Jan. Regards" on a Friday goddamn night

They probably even expect me to write my own antivirus software instead of paying for one

Why is industry like this ? Is there really any polite way to deny this ?

  • 3
    if [[ "$file" == *virus* ]]
  • 5
    There is a way.

    Drown them in technical requirements.

    Pull the specs on the device they want to run this on. Request they provide throughput info, things like how many files to expect to handle per second.

    Once you have that, calculate out the resource cost and how inadequate the device is. Spec out a new device. Provide them with the cost and the benefits.

    Then hit them with the license cost to use an AV. Some AV software license charge by the core, so that sweet ass 24 core rig you just proposed will cost them $1000 a month to just be installed. Don't forget about those pesky OS core charges too. Tack on another $2700.

    Now you can tack on dev costs.

    Once you're done, do another quote for running existing hardware with nightly scans like a fucking normal company.

    If they're still adamant about the scans pop a WAF in front of it and let it handle all the bullshit and make it a problem for security.
  • 3
    A simple "no" would work if your company deserves you.
  • 3
    @sariel yeah I immediately tried to that and then they said they don't have a budget for that and I have to "think out of the box" and do it without anything extra. This whole situation is amazingly stupid. I'll try to explain the situation to my manager once and if it isn't improving, I'm getting the fuck out of here.
  • 2
    @StackSmasher123 could you request a dev team with security training? those do not come cheap. If the client say they do not have the budget, tell them to "think outside the box". Apparently they think those words are magical.

    Now, seriously, say "we do not have resources to do that in the allocated budget" and repeat it like a mantra. They will not like it, but adults must be ready to handle a "no" from time to time.
  • 4
    You don't have to play mind games with the client to avoid the work or get better conditions. You're the software developer with experience in this situation, you tell *them* how *long* it's going to take and *what* it will take to do it.

    I would say "Well, I can put together a technical specification with some options for this but it most certainly wont be done by 12. Jan, I can give you a more precise time estimation once the spec is done but I don't expect it to take less than a couple of weeks"

    I mean ultimately they have to listen to you (if you're the lead/freelance) and if you're not, they have no business calling/writing you directly in the first place

    regarding the solution, you could probably check if there's an online API available for virustotal or eset. If the files aren't considered private you can just pass them through a service that already does this imo. If they are then tough luck, it's gonna suck
  • 3
    Don't people tend to use ClamAV for that kind of task?
  • 1
  • 2
    @JsonBoa I will try. I don't think my manager will be courageous enough to tell these clients that honestly but here's hoping
  • 2
    @electrineer Thanks a lot for suggestion ! I didn't know this existed. Will check license and see if it works for the clients. I honestly didn't think a FOSS antivirus would exist, glad I'm wrong
  • 2

    Couldn't have said it better myself.

    VirusTotal API was the first thing that popped up in my head.
  • 1
    @StackSmasher123 if this is an independent contractor/customer relationship I would thank them for their feedback and release them from the contract.

    When they get upset tell them you thought outside the box and feel this is the best solution you can provide for them.

    If you aren't their independent contractor, my condolences.
  • 2
    Maybe try running each file on the client's computer. If the client complains about side effects, it probably was a harmful file. They'll thank you for thinking outside the box.
  • 0
    @electrineer lmao. This is actually genius
  • 0
    @sariel sadly I'm not independent contractor ;(
Add Comment