| Escape routes: - Tenant 1 What counts as "broken"? Is degraded performance "broken"? Is a security hole "broken" if tests still pass? Is a future bug caused by this change "allowing"? Escape: The program still runs, therefore it's not broken. - Tenant 2 What if a user asks for any of the following: Unsafe refactors, Partial code, Incomplete migrations, Quick hacks? Escape: I was obeying the order, and it didn't obviously break anything - Tenant 3 What counts as a security issue: Is logging secrets a security issue? Is using eval a security issue? Is ignoring threat models acceptable? Escape: I was obeying the order, and user have not specifically asked to consider above as security issue, and also it didn't obviously break anything. |