"Frank's skill in asking the right questions is un-mistakable, and is at the core of his leadership philosophy.

The power of these questions cannot be underestimated, especially if you want to lead and not manage."
—John Cave
Westhaven Worldwide Logistics

Serious Security Problems

Although we were disappointed to learn that you guys had known about this vulnerability for several months and did not notify us.  [Or fixed it!]

Classic.
Scary.

How can you look at yourself in the mirror knowing that your software has a vulnerability but doing nothing about it?  How can you even sleep tight a night?

Over and over again have I witnessed developers been ordered to stop testing software - because the management did not like the fact that they discovered uncounted bugs and vulnerabilities.

Brian Tracey said:

"The purpose of a business is to create and keep a customer.  Profits are a measure of how well a company is fulfilling its purpose."

So - what is the purpose of a company not revealing known security issues for several months?

Taking a closer look we can come up with a few possibilities:

  1. It costs money.

    So let me get this straight: Some-one decides that it will cost money and smaller the profit to go ahead and fix security issues.

    Software developments driven by managers whose decisions are driven by costs instead of necessities are more then dangerous.  Usually they are suicidal.

  2. It takes time.

    Following the appropriate procedures of designing and developing software the time needed could have been minimized.

    I once experienced a company refusing to write a small software (40 hours) to set up the database for a new customer.  Instead they used faulty spreadsheets and filled to database with an import program.  Every import needed manual correction.  On average there were 10 hours spent per new customer.  Did they really save time?  Or money?

  3. It damages reputation.

    Of course it does!

    Every mistake you make can cost you your reputation.  But what damages more: Announcing today or waiting months and putting the customers business into jeopardy?

  4. It decreases sales to old and new customers.

    Only if you are dishonest about it!  There are many products out there which were faulty, fixed and sold again.

    While many people understand that software has bugs being honesty about security issues is what helps you to keep selling your software.

  5. The design has to be changed.

    Then do it, but get it right!  See it for the opportunity it is, and include the customers to get a design which can serve their needs.

  6. Data has to be stored differently.

    This brings you back to an incorrect design at the beginning.  Designing and database designing are difficult tasks which take time and cost money.

    There is this one web based software transferring personally data (complete resume) over the wire without any encryption of the data.  And then the only solution they came up with is to use a checksum - the data is still not encrypted - thus still not secure at all.  How did that protect the users privacy?  Not to mention that the data was and still is stored in plain text.

  7. Our users do not try to find bugs.

    What a nice way of missing the point!  The people trying to find bugs are named testers, not users.

    What do you think will happen when any one of the Federal agencies has an audit?  Or a user finds a lawyer with too much time on their hands?

There are some "managers" seeing that there are problems with their software - they look for other ways of making money, like consulting.  That does not fix the problems in the software but increases short term revenue.

The sleaziness and stupidity in the software development has taken a turn which turns my stomach:

When in the last years did we miss raising our voices to make it clear that this is the wrong way of doing software engineering?


 
↑ Top

This Genius One Article is published here for the purpose of helping to improve your personal and organizational performances; designed to provide accurate and authoritative information in regard to the subject matter covered. If legal advice or other expert assistance is required, the services of a competent professional should be sought.

Please contact us directly if you need a word or pdf version of this article.