They hired a new hotshot engineering manager (the kind that makes physical things). He hates the engineering software we run. I don’t blame him, it’s crap software. He constantly complains about how slow it its. He’s right again. Crap Software Vendor says it’s my platform that makes their software slow and buggy. I’m willing to make any changes they recommend, but they’ve got nothing. They’re like, “it runs fine in our test env.” So hotshot goes rogue and signs contracts to move engineering to a cloud platform that he used at his old job. I wasn’t brought in until after the ink dried.
New vendor sends me a link, login, and password via email. I go to the link. It’s fucking remote desktop gateway. Open to the internet. The password isn’t a temp, that’s my permanent unchangeable password. This is how they handle user access control. No MFA. Nothing between the screaming void and our data but IIS and an AD password.
So I start pissing in the tent. I tell everyone this is unacceptable security for our IP. Vendor acknowledges that their security is insufficient and lays out their roadmap to fix it, hopefully by the end of year(I’m holding my breath). I ask if we can just run the software ourselves.
I have a convo with our CEO who usually listens to my advice. He asks if we can just host the new software on our platform (the one that already has MFA and a whole lot of other security measures). I say, “That’s exactly what I was thinking.” So, CEO email in hand I go back to the group and tell them to make preparations to move the implementation to our platform.
Hotshot starts removed and moaning about how he doesn’t want another slow app. A data analyst chimes in with her two cents out of fucking nowhere. I’m not even sure why she’s on the email chain. I’m about two seconds away from going Joe Pesci on these goombas.
What the fuck guys? Who cares if the app is slower on our platform (not that it necessarily will be)? What good is a fast app that’s insecure? How fast is it gonna be when it’s ransomwared to hell? It’ll be nice that the app is fast when BianLian is downloading all our designs so they can extort us.
“Well they’re a big company and they haven’t gotten hacked yet?” Thanks for that Captain Smith, but I know a fucking iceberg when I see one.
Get three envelopes….
Yeah that’s a shirt move on his part to not bring you in. I can’t believe that his boss allowed it to go through
Glad the big boss sided with OP though!
Simple. Your users don’t care if it’s insecure. They click on fake password reset emails. You’re the bad guy here. They still haven’t forgiven you for requiring them to enter numbers when they want to log in.
Just say your cybersecurity insurance will not cover damages caused as result of inclusion of applications that are not compliant with the policy, loop in legal, sit back and watch how quickly bricks are shat.
oh jeez, gtfo asap.
He still has the ear and backing of the CEO, so I’d say stick around, but if that changes then I would be looking to bounce the fuck on out of there.
