When this terrible thing was done, we immediately realized we needed to add validation. We had thought that by limiting who could call through access controls, we'd never have a malicious user. So naive.
Sadly, at that point we couldn't add it because his awful project was running in production.
Reminds me of what they say about Formula 1 racing: The most important thing for a driver is to beat the other driver on their own team (there are 2 drivers per team).
And arguably this principle holds for most team members in any organization - since it’s only very few at the very top that actually get held accountable for overall team success.
I read a tongue-in-cheek blog post, maybe ten years ago, about “blame-oriented software development”: how to deflect blame from your code. The framing was amusing but the advice was good: extensive validation of input parameters and data, lots out logging, etc. Unfortunately, the blog post seems to have disappeared.
No, this person was selfish and inconsiderate of their fellow employee. Employees are supposed to cooperate, not exploit one another for their own personal gain.
It's weird to have to say this, and some people probably think it's naive, but I stand by it.