The Hermit Shrimp

2020.12.17

Nobody Cares About Security

At least anybody who can expense it.

Once again, I have been blown off by managers and other assorted budgets handlers about the potential of major security issues throughout our ecosystem.

"Why do you care? You're just a developer." -t. Managers Everywhere

Well, aside from not only my job and livelihood riding on the security of our data, but everyone in this department's jobs and livelihoods, not much aside from a our customer's own personal information. But, hey, Yahoo doesn't mind letting that data bleed out every few years so why should I care? I know that's a pretty tall order to protect what we've been tasked to protect. I know it's even harder to spend a budget to benefit our job security. Especially when there's a new Keurig model coming out. But is security really where we should be skimping?

I'll give a little background here. I am a cheap developer. I'm talking really REALLY cheap. I've built internal products and libraries off the clock just so that we don't have to pay for external products and services. I've made vendors bend over backwards and give 50%-75% discounts just to get our business. I don't bill gas when I have to travel all over for meetings, trainings, and other whatnot. My office chair is practically falling apart from sheer age and wear while most of my other coworkers replace their workspaces almost bi-yearly. Hell, I do the most high-end computer work in the office yet have the cheapest computer. Sure I'm going full clown by trying to make my workplace better than when I joined, but I also don't want to be the one who's name shows up when the boss man starts asking where expenses are coming from. But security is the one thing is something that I just can't get anybody with a GL code to even acknowledge.

But you're a developer. Shouldn't you know all this security stuff?

I'm not saying I don't know security. I know quite a bit to be honest. Sure I can't quote OWASPs security recomendation of the hour, but I'm not completely out of the loop. Most of what I know is simply because I have to touch pretty much every inch of our software achitecture (and some of the hardware depending on who feels like working that day). But I know what I know and I know that I'm not an expert in this field. I'm constantly learning and implementing new security procedures, patches, and policies to further secure my environment. I'd say 75% of the security work I do should be falling under our network engineers (yes, I'm even managing network and server infrastructure), but they're far too busy letting SSL certificates expire and not letting anyone else be on the reminders for them.

For the love of God, don't let SSL certs expire. Put everyone in IT on the reminder if you have to.

But even with all this effort being put in, I still couldn't do 10% of someone who's truly an expert in the realm of security.

"Shouldn't you bring this up to the network engineers? A large amount of this definitely falls under their responsibilities." Is this the part where I start laughing? No? Okay sure. I'll go talk to them. "Yeah, we're real busy with this project that, you know how it is. Send me an email and I'll get around to it." Ah, yes. The email inbox which you recently bragged about it hitting 50,000 unread messages. The one where system critical messages are squirreled away so that we can find about them two weeks later. Cool. Yeah. I'll send an email there.

The fun fact that I've learned about network engineers in my own personal experiences is that they don't care unless they are told to care. Maybe others have much better interactions. I hope so for the sanity of everyone everywhere, but I've yet to see it and I would classify them with bigfoot and unicorns at this point.

"Have you tried bringing this up with higher ups?" The issue with managers, is that they are terrified that something horrible will be exposed and that they will be sent packing. In their mind, this purposeful ignorance is a survival tactic. From the point of view of a specialist, it's oftentimes hard to understand that 95% of managers fall into the the "Yep, I've managed a thing at one time" category and HR departments everywhere can plug the first one that meets the bare minimum requirements in.

I've learned over time that managers aren't as worried about getting executed, but rather, how long they can smoke that final cigarette before the trigger is pulled.

I don't even feel as if I'm asking for that much to be honest. I'm simply pushing for us to have a security audit. "Wait. Just a security audit? Are you implying that you've never had a security aduit?" most may ask, and all I can reply with is a sigh and a nod at this point. I'm managing a spaghetti of questionable project decisions and archaic vendor applications from long before I started, with a nice layer of swiss cheese security on top of it, while I wait for the day of the guillotine. Honestly, the entire department should be bringing up the same concerns. But we all know how it goes.

If executives, don't understand, management doesn't care, and if management doesn't care, then that money is spent on Zoom business licenses. (Even though we've never used features outside of the Basic plan.)

At this point I'm not sure if it's the ignorance or obsolescence of those in charge. Honestly, I don't even care anymore. We live in a world where organizations are getting hit by attacks every day. We get cryptolocker'd on a regular basis and luckily it's only been very limited accounts from low-level users where we can just purge and move on, but one day, I'll be writing this from an unemployment line even though I'm the loudest canary that any coal miner has ever heard. I guess the point that I want to make here is,

if you're not auditing, you're not living

That might seem a little extreme but knowing you can come into work any day and be fired for what was probably an incredibly simple to remedy security issue is quite terrifying.