[embedding-shape]

So why are these people not involved from the first place? Seems like a huge management/executive failure that the right people who needs to check off the design weren't involved until after developers implemented the feature.

You seem to blame the person who is trying to save the company from security issues, rather than placing the blame on your boss that made you do work that would never gotten approved in the first place if they just checked with the right person first?

[mikkupikku]

Because they don't respond to their emails until months after they were nominally brought into the loop. They sit back jerking their dicks all day, voicing no complaints and giving no feedback until the thing is actually done.

Yes, management was ultimately at fault. They're at fault for not tard wrangling the security guys into doing their jobs up front. They're also at fault for not tard wrangling the security guys when they object to an inherently modifiable application being modified.

[embedding-shape]

Again sounds like a management failure. Why aren't you boss talking with their boss and asking what the fuck is going on, and putting the development on hold until it's been agreed on? Again your boss is the one who is wasting your time, they are the one responsible for that what you spend your time on is actually useful and valuable, which they clearly messed up in that case.

[mikkupikku]

As I already said, management ultimately is the root of the blame. But what you don't seem to get is that at least some of their blame is from hiring dumbasses into that security review role.

Why did the security team initially give the okay to checking signatures on plugin jars? They're supposed to be security experts, what kind of security expert doesn't know that a signature check like that could be modded out? I knew it when I implemented it, and the modder at the partner corp obviously knew it but lacked the tact to stay quiet about it. Management didn't realize it, but they aren't technical. So why didn't security realize it until it was brought to their attention? Because they were retarded.

By the way, this application is still publicly downloadable, still easily modded, and hasn't been updated in almost 10 years now. Security review is fine with that, apparently. They only get bent out of shape when somebody actually tries to make something more useful, not when old nominally vulnerable software is left to rot in public. They're not protecting the company from a damn thing.

[presentation]

Well if it requires tampering with the software to do the insecure thing, then it’s presumably your company has a contract in place saying that if they get hacked it’s on them. That doesn’t strike me as just being retarded security theater.

[moron4hire]

Yeah, I've had them complain to the President of the company that I didn't involve them sooner, with the pres having been in the room when I made the first request 12 months ago, the second 9 months ago, the third 6 months ago, etc.

They insist we can't let client data [0] "into the cloud" despite the fact that the client's data is already in "the cloud" and all I want to do is stick it back into the same "cloud", just a different tenant. Despite the fact that the vendor has certified their environment to be suitable for all but the most absolutely sensitive data (for which if you really insist, you can call then for pricing), no, we can't accept that and have to do our own audit. How long is that going to take? "2 years and $2 million". There is no fucking way. No fucking way that is the real path. There is no way our competitors did that. There is no way any of the startups we're seeing in this market did that. Or! Or! If it's true, why the fuck didn't you start it back two years ago when we installed this was necessary the first time? Hell, I'd be happy if you had started 18 months ago, or a year ago. Anything! You were told several times, but the president of our company, to make this happen, and it still hasn't happened?!?!

They say we can't just trust the service provider for a certain service X, despite the fact that literally all of our infrastructure is provided by same service provider, so if they were fundamentally untrustworthy then we are already completely fucked.

I have a project to build a new analytics platform thing. Trying to evaluate some existing solutions. Oh, none of them are approved to be installed on our machines. How do we get that approval? You can't, open source sideways is fundamentally untrustworthy. Which must be why it's at the core of literally every piece of software we use, right? Oh, but I can do it in our new cloud environment! The one that was supposedly provided by an untrustworthy vendor! I have a bought-and-paid-for laptop with fairly decent specs and they seriously expect me and my team to remote desktop into a VM to do our work, paying exorbitant monthly fees for equivalent hardware to what we will now have sitting basically idle on our desks! And yes, it will be "my" money. I have a project budget and I didn't expect to have to increase it 80% just because "security reasons". Oh yeah, I have to ask them to install the software and "burn it into the VM image" for me. What the fuck does that even mean!? You told me 6 months ago this system was going to be self-service!

We are entering our third year of new leadership in our IT department, yet this new leadership never guts the ranks of the middle managers who were the sticks in the mud. Two years ago we hired a new CIO. Last year we got a deputy CIO to assist him. This year, it's yet another new CIO, but the previous two guys aren't gone, they are staying in exactly their current duties, their titles have just changed and they report to the new guy. What. The. Fuck.

[0] To be clear, this is data the client has contracted us to do analysis on. It is also nothing to do with people's private data. It's very similar to corporate operations data. It's 100% owned by the client, they've asked us to do a job with it and we can't do that job.

[RyJones]

Reminds me of Qualcomm

[jppittma]

The bikeshedding is coming from in the room. The point is that the feature didn't cause any regression in capability. And who tf wants a plugin system with only support for first party plugins?

[Kye]

Someone with legal responsibility for the data those plugins touch.