I was the unofficial “security” guy where I worked as a software engineer. (Web apps, mostly.) We had a scanning tool (Burp Suite Pro, for those who want to know) that we ran against our apps on a regular basis to find any security issues. I was almost always the guy who did triage and remediation of any issues that came up. And when I had fixed a hole, I’d put a summary of the issue and the fix on the internal wiki page where we tracked such things.
For one particularly interesting vulnerability, I had to create my own implementation of a subset of the Java serialization API in order to remediate the vulnerability in a way that maintained backwards compatibility and didn’t inconvenience users. In the summary I wrote that the fix was “a hack” but it closed the vulnerability, which is all the PCI auditors would care about anyway. (If you don’t know what a PCI auditor is, don’t worry too much. They’re a regulatory thing that’s required if you’re a big enough business that process credit cards. They have to audit your security practices annually.)
My boss pulled me into his office to tell me to change the wording. He was worried the auditors would see the word “hack” and think that… I dunno… I committed some kind of financial fraud in the process of making the code change or something? Or maybe that we’d failed to disclose a security breach?
It didn’t sit right with me. For one thing, I’m the sort of person who wants to reclaim the positive connotations of the word “hack.” (And, honestly, using the word “hack” in a positive light never died.) But more importantly, if I were a PCI auditor and I heard that the boss had pressured a developer to alter their wording of the description of a remediation to make it sound better to PCI auditors, I’d probably pitch a shit fit at said boss.
(And, honestly, the boss and the development team weren’t on great terms at the time for reasons. So it sat worse still than it would have otherwise.)
But also, it wasn’t a hill worth dying on right then. I agreed to change my wording without raising a fuss. I decided if I ever got called to testify in court because there was a massive breach or something (I’m being hyperbolic here, but you get my point), I knew who to point the finger at.
But it still stuck in my craw. And when I resigned a few months later, I went and edited my comment back to say “hack” on my last day and didn’t tell anyone.
Actually, when I gave my resignation, my boss didn’t handle the process correctly with HR and they didn’t find out until way later into my notice period than they should have. As a result, they didn’t schedule an exit interview with me until way late. So I contacted HR about it and stayed late on my last day to voice how terrible the management was. (I was hoping to be the first of several to send such a message to HR.)
When I returned to the same company/position 5 years later, the page was still present and had the word “hack.” One of the first things I did once I had access to the corporate wiki again was to check that page. I still work there today and it’s still in the pristine state it should be in.
The boss in question also left and came back, but he’s been promoted up high enough in the ranks that he doesn’t concern himself with little old me and my security remediation reports. I imagine he’s probably forgotten about the whole thing.
Plus, his boss was way worse, and it’s very likely it was that guy who demanded I change it and delivered the message through his underling. And the worse guy isn’t at the company any more, but that’s a story for another day.
It’s small. And petty. But I feel satisfied with myself every time I think about it.
Hey, nothing wrong with small and petty. Everything, everywhere generally sucks these days, so take joy when and where you can, I say.
I’m totally on your side with regard to the word ‘hack’: Context matters, and in that context, ‘hack’ pretty much always means a kludge of a fix that works but could be better. It’s also a signal to whoever looks at the code later to take a better look / improve it. OTOH, auditors are the worst (though I would not personally want their job lol), and I can’t say I’ve never had to do similar pedantic things to appease them.
No, totally wrong. It’s like driving, where it doesn’t matter if you have the right of way but get t-boned and airlifted to the hospital. You’re playing on the auditors field, you have to play by their rules, use their language, and it’s just not worth insisting you’re right. Apparently your phrasing was accepted or not noticed, but it really seems like playing with fire.
I was the unofficial “security” guy where I worked as a software engineer. (Web apps, mostly.) We had a scanning tool (Burp Suite Pro, for those who want to know) that we ran against our apps on a regular basis to find any security issues. I was almost always the guy who did triage and remediation of any issues that came up. And when I had fixed a hole, I’d put a summary of the issue and the fix on the internal wiki page where we tracked such things.
For one particularly interesting vulnerability, I had to create my own implementation of a subset of the Java serialization API in order to remediate the vulnerability in a way that maintained backwards compatibility and didn’t inconvenience users. In the summary I wrote that the fix was “a hack” but it closed the vulnerability, which is all the PCI auditors would care about anyway. (If you don’t know what a PCI auditor is, don’t worry too much. They’re a regulatory thing that’s required if you’re a big enough business that process credit cards. They have to audit your security practices annually.)
My boss pulled me into his office to tell me to change the wording. He was worried the auditors would see the word “hack” and think that… I dunno… I committed some kind of financial fraud in the process of making the code change or something? Or maybe that we’d failed to disclose a security breach?
It didn’t sit right with me. For one thing, I’m the sort of person who wants to reclaim the positive connotations of the word “hack.” (And, honestly, using the word “hack” in a positive light never died.) But more importantly, if I were a PCI auditor and I heard that the boss had pressured a developer to alter their wording of the description of a remediation to make it sound better to PCI auditors, I’d probably pitch a shit fit at said boss.
(And, honestly, the boss and the development team weren’t on great terms at the time for reasons. So it sat worse still than it would have otherwise.)
But also, it wasn’t a hill worth dying on right then. I agreed to change my wording without raising a fuss. I decided if I ever got called to testify in court because there was a massive breach or something (I’m being hyperbolic here, but you get my point), I knew who to point the finger at.
But it still stuck in my craw. And when I resigned a few months later, I went and edited my comment back to say “hack” on my last day and didn’t tell anyone.
Actually, when I gave my resignation, my boss didn’t handle the process correctly with HR and they didn’t find out until way later into my notice period than they should have. As a result, they didn’t schedule an exit interview with me until way late. So I contacted HR about it and stayed late on my last day to voice how terrible the management was. (I was hoping to be the first of several to send such a message to HR.)
When I returned to the same company/position 5 years later, the page was still present and had the word “hack.” One of the first things I did once I had access to the corporate wiki again was to check that page. I still work there today and it’s still in the pristine state it should be in.
The boss in question also left and came back, but he’s been promoted up high enough in the ranks that he doesn’t concern himself with little old me and my security remediation reports. I imagine he’s probably forgotten about the whole thing.
Plus, his boss was way worse, and it’s very likely it was that guy who demanded I change it and delivered the message through his underling. And the worse guy isn’t at the company any more, but that’s a story for another day.
It’s small. And petty. But I feel satisfied with myself every time I think about it.
Hey, nothing wrong with small and petty. Everything, everywhere generally sucks these days, so take joy when and where you can, I say.
I’m totally on your side with regard to the word ‘hack’: Context matters, and in that context, ‘hack’ pretty much always means a kludge of a fix that works but could be better. It’s also a signal to whoever looks at the code later to take a better look / improve it. OTOH, auditors are the worst (though I would not personally want their job lol), and I can’t say I’ve never had to do similar pedantic things to appease them.
No, totally wrong. It’s like driving, where it doesn’t matter if you have the right of way but get t-boned and airlifted to the hospital. You’re playing on the auditors field, you have to play by their rules, use their language, and it’s just not worth insisting you’re right. Apparently your phrasing was accepted or not noticed, but it really seems like playing with fire.
I’m sorry, but this story makes you seem like an entitled prick. I’m sure you are not, though, and the story is missing some crucial context