"This is not how you handle things. When you find security issues, and they don't get fixed, it's one thing to attempt to prove a point with a PEN test. It's quite another to publicly expose information. You might find yourself in trouble, and you should be in trouble. This is a violation of the professional responsibility you undertake when working for someone.
This is the type of frustration that occurs in many IT workers. I've seen more than a few people working in technology that are sure they know how to properly configure and manage an application. They know how to set up security, and they become upset with a company that doesn't do a good job of running internal systems. They know that the architecture chosen for their application will fail when a load is applied.
There are some smart people in IT, but sometimes they think they're smarter than they are. Bad design, bad decisions, mistakes, even poor security practices will occur. However it's usually not your company, and it's not your place to prove that there is a flaw in a system. It's especially true that it's not your place to prove things without having been given permission to do so. Proving a point on your own is something children do, not professionals.
When you find problems in your organization, it is your responsibility to report them. I hope you think it's your job as a professional to do the best job you can, following the best practices as we know them. It's also your decision to choose to leave a job if you can't go along with, or abide by, the decisions made by your management.
If your company has chosen poorly in their technology decisions, I understand your frustration. I've often shared it, but I'd advise you to do what I've done. State your objections and either support the chosen path or find another job."
-written by Steve Jones from SQLServerCentral.com
No comments :
Post a Comment