
Ask HN: Security at my company is horrible, what can I do? - throwAwaySec
I have joined a team working on maintaining and improving an old project around 4 months ago.<p>The code is old and with horrible practices and no regard for security. I was OK-ish with it tho, since the app is B2B and can only be accessed via a whitelisted IP.<p>Now we have been told that on our product road-map we will be managing clients private keys and sensitive data that is used to communicate with financial entities.<p>I feel very bad about this as it could expose customers to huge risks (knowing the code-base), managers know as well.<p>I&#x27;m not a security expert by no means, but there are minimal stuff that can be done to remove 90% of the issues, but no one is willing to budget some time for this, and management just want to push re-writes and new features fast.<p>What can I do, as &quot;the new guy&quot; and also no formal security training.<p>Edit: Most vulnerabilities I saw was the possibility of one user to access and alter another&#x27;s data just by messing with headers and urls. This should not be possible for a non-whitlested user as far as i can tell.
======
tomohawk
In the end, the work you do reflects on who you are and to some extent changes
who you are. Your spidey sense is going off. You can use this as an
opportunity to grow and be more valuable to businesses that employ you.

Try writing something up about the business risks of the situation, outlining
possible scenarios and how they would affect the bottom line. Explaining from
a tech point of view is probably not going to get you anywhere. Focus on the
business.

As part of this, document the current baseline and how it relates to these
risks.

Create a plan to mitigate these risks, which may involve getting in
consultants who understand the regulatory environment.

Get your management to sign off on it.

Make sure there is a paper trail for all directed changes to the baseline.

If your current business won't sign off, it's time to start looking for
another job. But, you will have learned more about how to put together a
business case and you will have thoughtfully advised your employer.

------
DoreenMichele
_Now we have been told that on our product road-map we will be managing
clients private keys and sensitive data that is used to communicate with
financial entities_

Look up Gramm-Leach-Bliley. You may need to comply in order for the financial
entities to be in compliance.

When I worked in insurance, I got annual training in both HIPAA and Gramm-
Leach-Bliley. We had to comply with both. Both had information security rules.

[https://en.m.wikipedia.org/wiki/Gramm–Leach–Bliley_Act](https://en.m.wikipedia.org/wiki/Gramm–Leach–Bliley_Act)

------
swatcoder
As you probably know, this is not uncommon. Project managers choose what they
prioritize and security often either falls off the bottom of the priority list
or is addressed by engineers who only know enough to shoot themselves in the
foot.

To really shore up security, you need to raise it's priority and in a mature
project that can involve a daunting shift in momentum. Developers and testers
are in a rhythm of pursuing other goals.

As the "new guy", you'll have little influence to make that shift happen in a
significant and lasting way.

But here's what you can do:

1\. Document your understanding and share it with the project manager. All
this will do is nudge the ship a little bit, but that nudge can start a
process that pays off later.

2\. Take advantage of the fact that you're new. Unlike the rest of the team,
you currently only have a light impact on the rhythm towards other priorities.
The project momentum may be large, and so might the momentum of more senior
developers, but yours is not. Pitch your "minimal gets you 90%" work as both
an opportunity to triage the most pressing security issues (buying time before
a bigger momentum shift is necessary) AND as a way for you to gain familiarity
and ownership of a new part of the code. You'll get exposure and commit
history for some new files and will likely become a first-pick candidate for a
more substantial security effort later on. They may not bite on this, but it's
really the most you can make a strong case for.

Good luck!

------
CyberFonic
I have seen similar situations many times. In my experience managements are
ignorant of the risks and are often are the worst offenders as far as lax (if
any) security practices on their own PCs, etc. There is very little you can
do.

Since you are not qualified to address security features, do NOT attempt to do
so. That is not in your job description.

Best to document your concerns in writing (as in a hard-copy letter). Give two
copies to your manager. Ask him to pass a copy up the chain of command. Keep
another copy in some safe place at home.

If asked to "fix" security, point out that you are unqualified and that you
are willing to do so under the direction of a suitably qualified consultant.

The reason you need to be careful is that under many jurisdictions, your
company is liable for considerable penalties for failing to adequately protect
client information and you don't want to become a casualty in the fallout that
may come about.

~~~
posixplz
> The reason you need to be careful is that under many jurisdictions, your
> company is liable for considerable penalties for failing to adequately
> protect client information and you don't want to become a casualty in the
> fallout that may come about.

In the US, at least, proper disclosure of risk to senior leadership is
sufficient to protect one's self from personal liability. Make sure you are
not committing illegal acts, especially as an officer of the company. If you
are not an officer, and you disclaim risk to senior leadership, you should be
ok.

But, that's not always the case. If you are sufficiently worried, call a
lawyer. I have been in a very similar position. Respectable lawyers have no
problem spending an hour consulting with potential clients (for free) and will
often times give valuable advice, even if they're yet-unretained.

I nearly sued a previous employer for firing me (arguably for whistleblowing)
after I refused to be silent about illegal skirting of, and leadership's
brazen refusal to implement, federally required safeguards for HIPAA, GLBA,
SOX, FFEC, etc. In the nine months I spent trying to right their ship, I spent
all my social capital accrued at the company - and it started it impact my
reputation as a security professional. I wish I had given up (and quit) a lot
earlier. Sometimes, the fight is just not worth it. Especially when non-expert
execs are micromanaging know-it-alls who can't bear to be corrected by domain
experts they've hired.

------
ajeet_dhaliwal
Are you certain the managers know about this and push back or have you heard
this second hand? I ask because I am the founder of a saas application (see my
profile for details) and one of the major concerns before buying from
prospective and current customers relates to security. A lot of time is spent
making sure the application is developed with the best security practices in
mind. We take it very seriously. Here's the kicker: the app is only used to
store test/fake data, we do not handle any production data or any of their
customers' real data. Even so security is a major concern. The fact that your
application is handling customer's real sensitive data, including financial
data and communicating with financial entities makes me think your management
should be making security a top priority, otherwise how would their customers
have any faith in them? I would bet the management cares, and if they don't
then there are serious problems with the company and you may want to consider
leaving.

------
twunde
Decide whether you're willing to leave the company or lose your job over this.
It's not popular to say, but there are enough companies that will manage out
individuals that bring up issues like this because there's no management
backing and then it just becomes disruptive. It sucks. Think about it and
based on that decide on how hard you want to push security issues and
awareness.

In terms of best steps to actually get security flagged and addressed. Find
out whether your company has a compliance or security department. If you're
doing B2B, someone may be conducting a SOC2 review annually or the equivalent.
These people are typically the ones empowered to do something about security
and are the ones to talk to. There's also the possibility that the risks are
being mitigated through another method such as a WAF. If there are no security
or compliance programs you may want to chat with the sysadmins.

It's possible that the company may have decided that security was too
expensive and just bought insurance as their mitigation strategy(I worked at
one company who unbeknownst to me took payments but wasn't actually PCI
compliant who did this). If that's the case, you're better off looking for a
new job

