The OP isn't an engineer, but this really highlights the difference between real engineers and software developers who like to pretend they're engineering.
If the OP was an engineer, the answer would be lose their license and never work again in the field.
Yeah unfortunately you can chalk this up to the early 90s obsession with libertarianism and anti-regulation. Establishing strong regulatory bodies would be and continues to be antithetical to the Silicon Valley Ayn Randian obsessed cult of free marketers.
Regulatory bodies in the past were setup ultimately by government legislation (though typically run arms-length or fully independently thereafter), and until government starts actually taking these things seriously no software developer will ever be an "engineer" unless there are actual licensing and standards by authoritative bodies.
This sort of snobbery is pretty silly. Do you think engineers didn't exist throughout all of history until someone decided to start handing out pieces of paper?
Yeah sorry, it's silly. Use the term "licensed engineer" or something. Don't come up with new definitions for words and then get offended when people point out that you're being silly.
I think you don't understand what you just quoted. But yes, you should introspect about why you're being silly about trying to redefine a word and then getting offended over it.
In North America at least, the term is Professional Engineer. PEs are generally licensed in a way similar to doctors and lawyers. At one point there was a push to professionalize software engineers, but it never got very far.
Feel free to call yourself a software engineer (or even a software doctor). The titles aren’t controlled and as a result don’t really mean anything.
I believe that in Canada, and certainly in Alberta, the titles are very much controlled. The regulatory group APEGA has a Professional Engineer designation for software engineers as well
Context matters. Even in Alberta, the term “software engineer” doesn’t mean anything. Last time I looked into this, Quebec was trying the hardest to control usage and they actually took Microsoft to court for their MCSE title.
Another example: the University of Alberta has a software engineering program.
Search on Canadian job sites and you will find hundreds of software engineering jobs across Canada (including Alberta).
Other examples of non-PE engineers include stationary engineer (people who operate boilers) and locomotive engineer (people who operate trains). They may have their own regulations, but it is entirely distinct from Professional Engineers.
It's a bit complicated. In Oregon, for example, someone was fined $500 in 2015 for referring to themselves an engineer; although they had an engineering degree, they were not a licensed professional engineer. The state law was invalidated in 2018.
In 2023, if you call yourself a "car doctor" or "software doctor" nobody will bat an eye. If you call yourself a doctor in a way that implies that you have a medical license, people will get upset. If you call yourself an engineer in a way that implies that you have a relevant license, people will similarly be upset.
The OP squabbling about someone calling themselves a "software engineer" is just being silly. Where it matters in the US, the term "professional engineer" exists for exactly this distinction.
So your argument is that a software developer can use the term software engineer because no reasonable person would assume that they actually are an engineer?
Sigh, no. There's many types of engineers, and if you imply that you're a type of engineer you're not, people will get upset. Stop looking for "gotchas", especially ones that demonstrate a lack of reading comprehension.
Without throwing around insults that are out of place on HN, I think the GP's position is fairly straightforward, at least as I understand it.
Software developers have a tendency to call themselves "engineers" based loosely on what they do (software engineering, or at least development) rather than based on them holding an engineering degree and/or professional designation. I'm neither a software dev nor an engineer, and I initially found it confusing when I'd come to a forum like this and see people say "I'm a software engineer" or "I work as a software engineer for X" without actually having any of the aforementioned credentials.
In contrast, I don't think people are so blase about using the term "engineer" casually in other contexts, or even other areas of engineering. Folks calling themselves mechanical engineers, or electrical engineers...actually are engineers. As for the example you gave of a "car doctor", it is evident that people might use the term "doctor" in such a way as to show they're not actually doctors, which is not the case in the present context. I don't see mechanics referring to themselves as just doctors, or describing what they do with cars as medicine.
The OP is only saying that if he had the piece of paper, he would know that the piece of paper would almost automatically be retracted as soon as he acted like this.
And, no, this sort of thing didn't exist before the pieces of paper, for obvious reasons.
Writing a piece of code after a bootcamp isn’t engineering, and being the technical guy will not make you an engineer either, for starters, you learn engineering ethics in the engineering disciplines, and he (or she) would know what to do in that situation. What OP pulled will rarely ever happen in civil/electrical engineering because they can report that and revoke the company license.
Of course they're not an engineer. They're writing software, not feeding and managing a boiler hurtling down the tracks. Not sure you need a license to do that either.
What difference would it make? Any "real engineer" (of whatever you definition you might have of that) will also find themselves being in a shitty position in this situation, which is somewhere between getting fired, voluntarily leaving, living with ethic concerns, being a whistleblower, or finding a compromise that isn't great but maybe acceptable for them.
FWIW, I would consider myself a "real engineer" (because that's exactly the title that was granted to me by my university and country. And there's nothing I ever could have done to become a "more real engineer"). And I could see myself exactly in the same situation if I worked for a bad company. In that case I would have no idea how my title would help me.
Real engineers accept the moral and ethical responsibilities associated with the title, and accept the consequences of failing to do so.
The concrete difference is evident in this post and these comments. A real engineer, including a real software engineer, would understand their responsibilities and the question in the OP would be moot.
> In that case I would have no idea how my title would help me.
Well, yes, because for you (unlike the majority of the world) engineer is just a title.
Exactly. The situation in the the article would not have happened if the OP had the ethical foundation that comes with actual Engineering education and training. He would have simply refused to lie because 1. Lying is wrong and 2. It would put his future employability in question.
This chucklehead lied and is now panicking, pointing fingers and making excuses. A single class in Ethics could have prevented this.
Yes. This. In my past in situations like this I have given the sales team the line “I can answer truthfully or you can write your own answer to the customer.”
ignoring the legal implications. if you have a choice do you really want to spend you life lying for other people so they can pretend to be successful? you could actually do something with yourself instead.
If a secretary had combined the answers from different people into a single document and gave it to the boss, would they also be guilty of fraud if they didn't believe all the answers?
OP didn't write the incorrect answer, OP didn't attach their name to it (as far as I know), and OP didn't send it to the client.
It can be really hard to flat out refuse on ethical grounds to do something your boss tells you to do. I’ve only done it once, and I knew it meant my time at that job was coming to an end. I was gone a few months later and in a better position.
I don’t think this is hard at all, especially in the tech industry when you can easily find a different (likely better) job. I’ve flat out refused things on ethics grounds multiple times in my career (startup life is like that), and while it resulted in me leaving the company twice, once I got promoted, and most of the time I experienced no repercussions personally at all and the person being unethical was dealt with.
Ethics is a personal choice and if you have strong ethics, refusing to commit fraud is effectively a no-brainer. There’s no difficulty to this decision. Your “boss” at work isn’t actually in charge of your actions, you get to choose how you want to live your life on your own terms. Most managers are incompetent and sleazeballs abound in business. There is effectively no leverage these assholes have over you except continued employment working for asshole liars.
A job is a job. Ethics are about who you are as an individual. It’s a policy for your life and defines your character. I’d scrub toilets before I would defraud a customer.
It’s a trivially easy choice for anyone with good ethics, full stop. Your contrived straw man has no relevance to the person in the OP, and they have none of those qualms. You’re doing a lot of mental contortions to defend committing fraud.
The general answer is that we can all be held personally liable for our own torts. For example, if a delivery company driver runs into a pedestrian, the pedestrian can definitely sue the driver. Usually, however, they will want to sue the company instead, because the company has more money.
The same logic applies here. The customer can sue the employee who falsified the records, but they’re more likely to want to sue the company.
I think this is a form of boilerplate for acknowledging that no lawyer will want to give you legal advice without a more detailed phone call, and the acknowledgement that a non-lawyer can’t really offer legal advice.
The way I handle this is to ask “how strongly would you be encouraging me to get a lawyer right now?”
I'd think the same. That's why in some law forums you are expected to write your questions in the manner of "suppose the hypothetical case that person X did Y, ..." instead of "I did Y, ...". So people are only talking about a theoretical case, and not give actual legal advice.
If I was going to get fired it’d be for telling the truth. Saying no is allowed. If they fire you for telling the truth and there is evidence to support your position then sue the fuck out of them for unfair dismissal.
I've broken my habit of retreating from customers. After all, if you don't know their pain, how are you to be an effective yardstick of Quality? If people try to keep you away from the customers/users, you beeline to the customers
I think your'e overemphasising how bad it is. I worked for quite some time as a computer tech fixing problems on-site and seeing exactly what issues customers face. I didn't come across too many "bad" clients. Now maybe this is because most customers could not call me directly, they had to log a call first but most people realise that your work is just as important as theirs is.
Since your comment references sueing, I’m going to assume you’re in the US, where almost all employment is “at will”. They can dismiss you for any reason as long at it’s not a protected one. Telling the truth and being a jerk is not a protected status, so you won’t be getting anywhere with that lawsuit.
How does that work when the employer puts you in a position where you must provide an answer, the expected answer would involve commiting a crime, and the only alternative is to tell the truth? Whether we like it or not, employers have a lot of leverage over employees. Arguably, it is one of the reasons why employees are paid disproportionately less. Such protections should exist.
I'll believe youbif you claim they don't. I'm not an American, nor do I work for an American firm. On the other hand, I do find it ironic that a country would tout law and order while not providing the means for individuals to uphold that ideal.
If you're caught, yes it is easier dealing with the truth. On the otherhand, I doubt that the boss thought they would be called out on the claim and I doubt they think they will be called out on the verification of the 'evidence'. After all, it sounds like at least part of the correspondence was in writing, so it could come back on them.
It's not a fun game to play if you're someone who believes in honesty, or think that you will be accountable. On the other hand, some people seem to believe that the costs outweigh the risks. That's particularly true if most of the blame can be diverted to someone else.
People who ask you to do crimes against others will eventually do crimes against you. They obviously don’t have ethics and will just do what’s convenient for THEM. Don’t work for people like that.
In the US retaliation by an employer for an employee reporting inappropriate or unlawful conduct to a superior is unlawful. This is a protection granted at the federal level.
The corporations have done a good job convincing most people that “at will” means they can let you go at any time for any reason. They can’t. But we’re in Get A Lawyer territory.
ehhhh. Lots of hyper-conservative responses there (which is understandable, it's asking for legal advice). But assuming this is part of an RFP response, "embellishment" of answers is par for the course, and I understand the frustration of the director.
First, there's always a good chance nobody on the client side actually cares about this. RFPs tend to come with hundreds of questions, most of which are put in as requirements by completely detached departments to make them feel important, but don't actually matter. If something is important, it can be negotiated. For example, if the pen test is important, you can get the client to agree to sign the contract with a clause that says if they don't get pen tests results by X date the contract is void.
Second, well, what is a pen test, really? If you ever called one of your APIs to validate that your authorization or authentication code works, or you've validated that your AWS security groups are blocking external traffic to your database, congrats, you've performed a "pen test"! The client won't consider that sufficient, of course, but it's a justification for an answer on an RFP, at least. If they want more details, as they do in this case, they can always schedule a follow-up call or ask to see the pen test results document.
This situation reads like an engineer who needs a bit of business/sales experience more than anything. In their discussion with the client, you can start with "we've currently only done in-house penetration testing, but are looking to contract an external vendor to do penetration testing by X date." Assuming you've done any testing, this is a true statement, and the client can determine if that's sufficient.
The real solution to this is to get SOC2/ISO27001 certification, though, which makes a lot of these RFP headaches go away.
Absolutely nothing you said in this post is true or valuable, other than your final sentence. You appear to be far too comfortable with lying to clients.
Remember that the goal of most security/procurement questionnaires isn’t _security_ … it’s _conpliance_
Compliance is not security.
For buyers, they often just need to check a box so that they can maintain their own compliance obligations. They probably don’t care all that much about your security if you can check all the boxes.
Pen tests are a joke. You can get perfectly acceptable pen tests (from compliance perspective) done for $2k in less than a week and the testers will try to find a couple things but their goal isn’t to evaluate your app’s security. Their goal is to make you happy with the report you’re paying for (and you won’t be happy if it has a list of 100 security bugs)
Note: I don’t like that this is how compliance works. I wish compliance were more closely tied to security. But that’s simply not reality.
Sure it's about compliance. In the event of a problem followed by a lawsuit, how comfortable would you feel explaining to a judge that you falsified the compliance forms? If the answer isn't 'completely comfortable", you probably shouldn't go around falsifying compliance forms.
>>This situation reads like an engineer who needs a bit of business/sales experience more than anything.
Your post reads like a salesperson hand-waving away actual situations of consequences in favour of a quick buck. There is literally no embellishment in this scenario, it's outright lying. He didn't say "well we tested security in some things but it wasn't up to a great stabdard", he said "we didn't do any pen testing" and when asked he said the opposite.
lol there's no ambiguity here. I love it when otherwise "street-wise" salespeople get challenged with very obvious scenarios they all of a sudden become postmodern philosophers.
"I mean, what does it even mean to COMMIT fraud? I mean, did I really "commit" to it if I did it once but gave it up after? Hmmm? Ever ask yourself these deep kinds of questions?"
Give me a break. Some sales people are so deep into a near-sociopathic lifestyle of "sales" that they are just pathological liars in the most literal sense. They don't even see themselves weaving deception.
> he said "we didn't do any pen testing" and when asked he said the opposite
I conjecture they _did_ do something that could reasonably be called pen testing and didn’t realize it.
GP even gives some examples: testing authentication code, checking security group configurations, and testing API calls all counts as rudimentary pen testing.
My point is that while they don’t believe they did a pen test, it’s very possible that their standard correctness testing of security related features was sufficient to meet a broad definition of the term.
If a client tells you what they need, you don't get to decide what the client needs.
The sort of "business/sales" you're referring to may work well for someone not interested in building long-term relationships for repeat customers, but you're describing the exact type of fratboy used car salesman that I avoid doing business with whenever possible.
If all they said was effectively “we did some pen testing at launch” without any claim of meeting any standard or going into much detail then even the most rudimentary test/validation of the correctness of any vaguely security related code could be charitably considered to be a pen test.
Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.
It doesn't matter if the client doesn't really care. That's just a rationalization, plain and simple. No different in kind from, "well the bank teller doesn't really care if I rob the bank because it's not their money, and the money is insured anyway, so is it really even robbery?" Only different in degree (to be fair, an enormous degree; just to illustrate).
A pen test is a real thing. "What is a pen test really?" is another rationalization. There may be many flavors of pen test, but fabrications are fabrications. One of the most important part of pen tests is that they are external. It's like saying, "what is an audit really? We have accountants and they check our books for anomalies." Just doing your job as an engineer and looking for bugs is not a pen test. In the same way that being careful and rereading your own changes is not a code review.
This reads up me like an engineer committed to their work. I think they should be proud of themselves for not going along with this. I think the problem is that management isn't doing their job properly. They're cutting corners because they fucked up and didn't make sure a pen test happened or listen to their technical people. This is a strategic necessity for the company that would have been so easy to accomplish and should have been foreseen. They're trying to rule by dictate and it could destroy their career if this ends up in court. Even now, they could get some kind of rush job done - but no, they choose to endanger the company and the people in it instead.
Imagine being a lawyer or a paralegal and getting your hands on those emails in discovery. They didn't only demand their engineer lie, they did it in writing. The engineer is not the problem here.
> Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.
I agree, but if the RFP question was phrased "have you done penetration testing?" then that leaves a lot of room for embellishment. If the question is "do you have SOC2 certification?" and you answer "yes" untruthfully, then that is a lie. If they ask for the SOC2 or pentest report and you give them a falsified document, that's where you're (probably) committing fraud.
> One of the most important part of pen tests is that they are external.
AWS/Google/etc have internal security teams doing their pen tests, so no, this isn't true.
> Just doing your job as an engineer and looking for bugs is not a pen test.
What about an engineer spending an afternoon running ZAP[0]?
> It's like saying, "what is an audit really? We have accountants and they check our books for anomalies."
Yeah, which is why you don't just ask a company "do you keep track of your finances?" if you're investing in them, you request external auditors.
I have literally worked alongside external pentesters for some of those organizations you allude to. I still remember their codenames.
They might have the scale to have internal pentesters nearly as isolated as external pentesters. A ten person startup definitely does not.
Regardless of what tools you use, an internal pen test isn't the same. Do internal accountants use different tools than KPMG? Probably not.
The RFP likely did contain more precise language.
I encourage you to reflect on your position. It's very odd to me that your attitude is, "if the customer didn't want to be lied to, they should've tied me down better, because I'm like a djinni who will twist your words against you if there's the slightest ambiguity." I understand the sentiment that RFPs and contracts need to be locked down. I don't understand the sentiment of, "they had it coming."
> Regardless of what tools you use, an internal pen test isn't the same
It isn’t the same as an “official” pen test for a 10 person company with non-specialists, sure. But the document, to our knowledge, didn’t ask if they had some specific form of pen test.
> because I'm like a djinni who will twist your words against you if there's the slightest ambiguity.
They aren’t twisting anything. If a quick and informal pen test meets their definition then they should be more specific.
> Just doing your job as an engineer and looking for bugs is not a pen test
A pen test’s goal is to find security bugs by posing as an attacker. There is no requirement that it is systemic, formally documented, performed by a “security expert,” or that it is done by any external party.
Those are all desirable _properties_ of a pen test that may be required for various certifications, but an engineer can absolutely conduct a quick and informal pen test at any time.
I don't actually like this answer but there's likely some truth to it.
I am reminded that when I bought a house in my twenties, at the scheduled closing there was some detail that was incorrect. There was a line in the document where we had to say something like "Yes, x paper is in hand." In reality, I think we were still waiting for it.
And when I was like "But this isn't true. Shouldn't we wait until we have this?" the banker said "That's your call."
So it was lie about it because the paperwork wasn't going to go through if it said anything other than "Why, yes, we absolutely have that!" or delay closing on the house, which could mean losing it. So I signed.
And it never came up again. No one ever called and said "But what about blah?"
If you are knowledgeable about the bureaucratic process, you may know which check boxes must be checked off, true or not, to file it and in most cases don't actually matter. If you aren't knowledgeable, you are seriously gambling.
So in reality, this kind of thing does go on, like it or not. And if you are too pedantic, you can't get things done. Things will grind to a halt while you dot every I and cross every T.
There’s a difference between you knowingly waiving a requirement that is to your benefit (receiving the necessary disclosure document before closing) to further a goal to your benefit and you making a statement on a form to the detriment of someone else.
In your analogy it would be as if the seller ticket the box saying that they’ve disclosed all deficiencies to you despite not having done so, to not jeopardize your willingness to close.
I don't recall what the document was but in real estate, a defect can also negatively impact neighbors or future owners. If the defect was the responsibility of the previous owner and not having the disclosure at the time of the closing means you no longer have legal standing to pursue remedy and you don't get around to fixing it, it may get grandfathered in and now it's potentially a permanent situation.
I think TFA is a case where the OP messed up. He shouldn't have lied to appease his boss and it seems he wasn't clear about that at the time.
He didn't seem to feel he was lying. He told his boss X then did as he was told. And I think this sort of mental disconnect is common and, among other things, leads to problematic choices for how to relate online.
In his mind, while filling out the papers, what he said was part of this larger conversation and his boss knew what he really believed to be true. The problem is that putting it in writing means other people can read it and they aren't part of this larger conversation.
I was clear that signing the papers could come back to bite me but based on the banker's remark inferred he wasn't concerned and he felt rescheduling was a bigger problem. Odds are good the item showed up soon after and was added to the file and said the "right" thing, so didn't create problems.
I still think what I said elsewhere: OP should probably be planning his exit. But I do also understand why some people have sympathy for his boss and feel like playing devil's advocate here.
The entity conducting the pen test -- i.e. a third party with no interest in shipping the product -- is what makes it a pen test. Otherwise it's just QA.
I get what your saying, but boy do I not want to live in society created by this worldview. In my opinion, this approach is antisocial. It forces everyone to write massive contracts and build bureaucratic mega processes to validate and specify every single definition in that contract because you can't ever trust your counterparty to abide by the spirit of your request.
This comment really nicely captures how I feel about this. There's something to be said about good faith and knowing what the spirit of the agreement is.
There are some comments here saying stuff like "these compliance forms are ridiculous and are often just bureaucratic nonsense" and you see comments advocating for playing dumb and answering in bad faith and there you go.
I see there being a bit of an attitude of "everyone is doing it" to justify also doing it just to compete because you're at a disadvantage if you don't. And that's not entirely wrong but it sucks and I personally will avoid competing in that way. Probably that means not much sales in my career. Or science, but that's another topic...
I worry that this is how we all end up doing meaningless administrative work, while we outsource all the useful "actual" work to poorer nations, where all of our administrative specifications can be overlooked or ignored.
To each their own, I don't want to be the victim of identify theft because sales pushed engineering into releasing shit code with a simple buffer overflow that noone ever tested for.
Why does my worry about bureaucracy have to mean I want to be the victim of identity theft? I understand and agree with the value of good security practices. I just worry that assuming all software is insecure unless some very complicated and "iron clad" contracts exists and are independently validated. It's a recipe for a very inefficient society.
I actually worry that this mindset of adversarial relationships make it MORE likely for your identity to be stolen.
I don't think there is too much software a government agency will buy that I wouldn't like to see pen tested. By it's nature government is often dealing with sensitive data.
I'm not sure why having standards that should be met around software testing would make my data less secure. Weve seen leak after leak and so frequently it's some basic issue caused by massive incompetence, or more often, by decision makers cutting corners to make a quick profit.
In some situations, maybe. In this case, given the director swore at OP, I strongly suspect foul play.
Were we talking some light fudging, the director would have spent time explaining what the customer is asking for and worked with them to determine whether what they do supports a statement of “we do security testing.”
And if they can’t support the claim? Well, the director’s response will tell you if they’re an honest broker or not.
If the engineer has a problem now, they'll have a complete mental breakdown during a standard SOC/ISO certification.
However, the director also does not seem politic enough to maintain plausible deniability, if they're saying "what the fuck, just sign your name uncritically on this statement" vs guiding them towards a long, detailed, qualified, technically-truthful answer. ("We did these things on these dates" and leave it up to client to evaluate whether its sufficient/is really pen testing) Which the client would require anyway if the process moves forward. The entire situation just seems like a shitshow.
Honestly none of that is a pen test under almost anybodys understanding of the word.
If the request wasn't specific, you may be able to get away with arguing that way in a court, who knows.
When you tell the director it is not true, author a document that says otherwise, and then document the whole thing on the internet, by that point it is a lie not embilishment, and I'd be worried about fraud myself.
1/ Normally lying in bids can get your company barred from competing in bids for several years, if these are financed by something like the World Bank, the disqualification can be extended to other geographies.
If your employer asks you to do something and there is no moral imperative to to what is being asked, even if you do not think it is wise to do it, just do it.
If your employer asks you to do something that has some moral imperative, you need to ask yourself if doing this makes your moral standards, are you willing to compromise your moral standards or will you stand upright and be the man and face the consequences from your employer.
Either way, you will face consequences and if you fail your own moral standards you have to live with that.
I would go with "I was not present for any penetration testing at launch, and I'm unable to find any reports related to it. However, penetration testing done that long ago would have little current value anyway. What I will do is talk to my leaders and get regular penetration testing scheduled, and get that schedule to you asap".
> However, penetration testing done that long ago would have little current value anyway. What I will do is talk to my leaders and get regular penetration testing scheduled, and get that schedule to you asap".
Just leave that out. No point in saying it other than to make more trouble and work for yourself.
Yes, the idea was to make a commitment that would then be hard to avoid. They can fire you I guess, but it's a reasonable course of action to get some pen testing in place.
I wouldn't put that t exactly like that, but I would talk to the director and put something similar.
Most compliance frameworks like SOC 2 have a requirement for an annual pen test, so if the pen test was over a year old it wouldn't matter anyway. Best approach would just be to talk to the director and say something along the lines of "Our next pentest is scheduled for date XYZ and we can send you those results upon completion".
People who tend to freak out in situations like these where "let's lie" is their go-to, when an honest approach is possible that will likely get the job done, scare me.
Edit 2: after seeing the replies, my revised advise is to schedule a cheap pen test (can be done in less than a week for less than $2k) and tell the client “Our next pen test is scheduled for next week”. Doesn’t need to be harder than that. Pen tests for satisfying compliance requirements are easy, cheap, and quick.
-
My advice: get on the zoom call and when asked about the pen test, repeat something like “we have a security policy in place that obligates us to do a penetration testing at least annually”
(Assuming you have such a policy. If you don’t, then you and your company is out of your league selling to governments)
Assuming you have a basic set of security policies (almost all of which will say you’ll do pen tests annually), just repeat the line like “we have a security policy in place that obligates us to do a penetration testing at least annually”
And if you’re asked again more specifically whether you’ve done one in the past year, don’t answer directly and repeat the quote again.
The key here is do say the maximum amount of (positive for your company) truthful information and deflect or redirect away from questions where the truth would hurt the sale. Engineers often have trouble with this because it’s most engineers have a tendency to want to answer questions directly and literally.
And, make sure the sales rep is in the call. If the client backs you in a corner and you don’t know how to redirect or deflect, then you hand the baton to the sales guy.
Edit: Or, just do a freaking pen test. You can get one done in less than 2 weeks for less than $2k.
I would go with, "I was not involved with pen testing, but <director> has assured me that it was done."
But really the right thing to do is to have a conversation with the director where you tell him that you want to support the company as well as possible, but saying that a pen test happened is not something you can do. You want the director to feel that you are reasonable and supportive, but realize that they have to find someone else to claim that the pen test occurred.
Why be misleading? The directors are clearly wanting him to be a scapegoat. Just get on the zoom call and say you've never done pen testing, and your director lied to them. Also look for another job, this one has a short lifespan remaining one way or another
You can 100% tell the truth and be misleading. And why should this person put in that effort? The directors will throw them under the bus in an instant, and in fact are probably planning on it.
My advice is to answer the questions politically instead of literally.
Compliance people (on the other end of the line) actually like this in many cases… literal answers can make their jobs harder than politically worded (but not untruthful) answers.
It's worth mentioning that there is a legal definition of fraud[1]. Fraud must be proved by showing that the defendant's actions involved (5) separate elements:
1. A false statement of a material fact is made
2. Knowledge on the part of the defendant that the statement is untrue
3. Intent on the part of the defendant to deceive the alleged victim
4. Justifiable reliance by the alleged victim on the statement
5. Injury to the alleged victim as a result
So if the local government is hacked because they thought the software provided was pen tested and it actually wasn't, congratulations, you've hit fraud bingo.
If you present a document you know to be untrue, that’s the same as lying.
OP, get a pen test scheduled and tell the client, “You know, we’ve had a lot of changes since we rolled out. Since you asked, we felt it was best to get a current pen test to reflect our present state.”
No lies (just a slight deception with the truth) and you get a legit pen test your client can rely on.
That sounds like a very reasonable course of action. However... given the circumstances the author is in, I don't think his director is the type to schedule a pen test and then wait for all the violations to be resolved in order to get the contract. (I assume the client, as a government entity, is legally required to obtain a minimum number of bids for contracts and make a decision in a timely manner.)
Lying and fraud aren't the same, which is the author's concern. Lying incurs a social cost. Fraud incurs both social and legal costs.
I don't... think so? He clearly intended to create a deceptive document, and wrote separately that it was false (don't delete this, wink wink, nudge nudge). The director didn't hold a gun to his head.
A determination to perform a particular act or to act in a particular manner for a specific reason; an aim or design; a resolution to use a certain means to reach an end.
It doesn't matter if the OP wanted to deceive the client or was pressured to do it, they still intended to do it. Again, IANAL, but people are held liable for their illegal actions all the time, even if they were pressured. Also, think about the kind of pressure this manager is applying relative to the (potentially) fraudulent thing they're asking the OP to do. If the manager was holding their family hostage, by all means, lie about the pen test. I know it's easy to advise the OP to "just quit", but not everyone has the luxury of doing that for personal or financial reasons. That being said, I'd rather be out of work and struggling instead of on the hook for fraud.
For “injury,” I believe the payment to the party telling the lie is sufficient. You’re purchasing a service under false pretences, which is a harm in and of itself.
Once, early on? Yes. Paperwork said laid off, but conversations around the time about how precarious the point in my career that I was at painted a different picture.
Not going into gorey details. Suffice to say, I will not lie. I will not engage in the calling of a spade anything other than what it is either. Results and actions speak louder than words, and with mine I truly seek to never through my actions to make the world worse.
Still find jobs. Still build things. Still help worthwhile projects get pff the ground. Gotten pretty good at it too. Still not afraid to walk out the door the minute things begin smelling of fish.
It's much easier to get legal representation and compensation if you are fired. That's because, assuming the paper trail is there, the damages are also there. Being pressured into resigning is harder to prove damages-wise. "Pressuring" is subjective.
The boss doesn't have technical expertise and will not defer to the judgment of the person who does, lacks ethics and is not going to stop their crap. It will only stop if someone else stops them, probably via tossing them in jail at some point.
Counterpoint, OP is overthinking pen test = certification. He definitely needs to talk to his boss about it, but it could be a simple matter of discussion about what pen tests were performed. If a more recent and/or external one is required, simply tell them that you will work towards that. OPs goal should be to get clarity of what the client expects as a pen test.
The reality is none of us knows the whole story. We are getting one side of it. It's entirely possible the problem is with the guy asking the question and always has been.
Assuming good faith, honesty and a reasonable degree of accuracy on the part of the OP, looks to me like he should probably plan his exit. Not necessarily drop his resignation today, but start making plans.
It's absolutely true that if he ups his game, he may find things improve and he can work with this person effectively. Or he may not.
> "we did pen testing when we launched, but haven't done it since".
Well… was it before you joined the company?
You tell them in that case that was before your time and you quote your boss.
I’m not sure why you replied no to begin with, if you didn’t know. You should have asked your boss about it first and take his word.
During the zoom call, you can simply reply that your boss told you so and ask him to produce the old report if it’s still in his possession.
Anyways I think these tests (iso 27001) should be held regularly to mean anything.
Being compliant in 2021 doesn’t hold the same “level of guarantee” in 2023.
And that last part is up to your client’s policy.
Do they need a recent third party audit or whatever… you should ask them questions and check with your boss if it’s worth the spending.
Nowhere does the author say they were unsure whether it had happened:
> I, truthfully, wrote that we had never pen tested our software. ... They provided me with an answer to the pen testing question that essentially said "we did pen testing when we launched, but haven't done it since". I made sure they were aware that this wasn't true.
Three years into a job as the most senior technical employee, I'd expect him to know if there were any pen tests done before he joined. It sounds to me like this is a pretty garbage company, where the one developer with a clue feels like he has no agency. I believe him if he says they didn't do any pen testing before he was there.
> At that point, I was confident in my personal ethical position.
Eh, what? OP knew what sales was going to do with that email. Having sales wordsmith an answer is fine, but if you think it's factually inaccurate, don't send it back to them filled out in the form.
Sounds like a "winning move" did not exist from the start for this poor fellow. Either your director fires you for speaking the truth or you possibly become accomplice in fraud. All you can do is cut your losses. If they go into that zoom meeting I hope they won't toe the company line. Getting fired, or losing the customer seems like the least worst option.
It's actually not clear to me if the director is also their boss. It's written as if they are but not spelled out anywhere I can see.
Could be a winning move, but it's also common for whistleblowers to end up under some bus at some point. Turning against your director (and colleagues, etc.) will most certainly cost you your job. A lawsuit for disclosing secrets is also likely.
Cover your ass with clear paper trail. And even then, I would prefer losing the deal getting fired. Whistleblowing is really the last resort nuclear option, IMO.
The least losing move was probably to indicate that the “more political” statement provided by the boss seemed to be false, and ask for supporting information and/or to work together to find a defensibly true statement that was suitably politically acceptable.
Now, if the boss is committed to outright fraud, this is still going to be a problem, but it lets you separate out that case and puts you in the best armed position if you need to go above or around them in the org on the issue, and does as much as you can to avoid the firm committing fraud and to avoid yourself being an active participant if that happens.
> if you need to go above or around them in the org
In this case, the whole company has around 10 employees, so I assume there isn't much in the way of management. I understood "director" to be the big boss, maybe sharing his position with one other.
Or not lie and possibly not get fired? Surely better than lie and having the sword of Damocles hanging over his head for a long time, either because of part-taking in fraud or (indirect) blackmailing from the boss expecting more lies or other dishonest actions as a consequence.
if we define 'software engineer' as someone whose job it is to make working software systems, then clearly anything less than the truth is counterproductive.
if you take a more modern view that the 'software engineer' is mostly about marketing and sales, even inside your company, then sure. its all spin and half truth. but that doesn't have anything to do with.. you know, building stuff
You could probably still fudge out of this depending on what exactly was replied.
You could elaborate that the initial pen test was one of those self trigger ones and not an external or "professional" type. Hence you do not have any documents regarding it anymore. Although not ethical the company would see this as not a acceptable metric and dismiss it when evaluating. Your written statement although a lie would not be considered fraud if it didn't get considered in evaluation. I am saying basically make your written statement worthless.
Eitherway you need to make it absolutely clear to the CEO that is as far as you will go an he may as well hire an actor to represent engineering if he wants you to lie as the actor would know as much as you about a fictional pen test.
The conduct to this point was wrong. At best we're talking about an undocumented, out-of-date pentest that the writer doubts occurred-- and whatever occurred would not be recognized as a pentest under current industry standards. Sounds like an interesting conversation with the client, director, and possibly whoever runs the company. If the company adds to that performing an actual industry-standard pentest-- which it passes easily-- perhaps its reputation does not receive the hit it deserves. If the software doesn't pass, might be simpler to withdraw the submission than proceed with the meeting.
And this is why the tech industry management is so hated. The OP gave an ethical example but it happened to me in a different way.
I was being pushed to release a small feature during the holiday season. While we were on track to release it, the CTO announced that we should not release anything during the holidays so that customers can take a breather and that our company is not responsible for their failures. So, we waited to roll it out until after the holiday since the CTO himself asked us to exercise caution.
Come review time, my manager berates me for not releasing fast and for "constantly missing deadlines". I asked why the CTO is asking us to exercise caution and why he is asking us to push. I asked what would happen if there were to be an outage during the holidays.
This infuriated the manager and he had it for me for a long time. And he was only furious because I caught his BS. The only reason he wanted me to go faster was to make himself look good. But if something were to fail and if the CTO checked, I was to be the fall guy.
Aside from the "all managers are not like this" trope, can anyone tell me why engineers should trust such managers when they play such games with us?
I'm not sure what you expected to happen, but you should be archiving all your correspondence with your director in personal storage and start looking for another job.
Whether this is fraud depends on your jurisdiction, but the fact that you're even asking the question probably means there are some uncomfortable conversations in your future.
I'd say do one of two things:
1. Attend the Zoom and bring the original copy of the document you produced. Explain that you had nothing to do with any alterations, and that there has never been pen-testing of any kind. Then let them fire you. Again, save every piece of correspondence in storage that is under your control -- personal cloud, printed copies in your basement, whatever.
2. Resign effective immediately and cite that you were asked to make false statements to a client. Then file for unemployment and dare them to contest it.
I was working at a Big Startup, on ML side of things. All the senior engineers in my team left and me and a few others became the senior-most engineers (with <1 YOE). The models we built were contributing 100M$+ to the top line of the business.
My then manager tasked to do some data analysis to determine whether building a "new nonsensical ML Model" was the right way forward. I like a diligent bee crunched the data and came to the conclusion that "we shouldn't build the new model".
I showed the results to my manager who laughed and told me to do it again. It's also important to note here that my team lead and old manager had left the company. This person was completely new and a senior manager.
I in my naive mind (and oblivious to politics) thought he's telling me to say that the results "do make sense". and that's what I said. We even presented the results to product people who gave us go ahead. Since we were doing such pivotal work, even the company's CTO was involved and tracking our progress.
The next few months were one of the most painful times of my life. Immediately after the meeting, we were tasked to actually build those models. I knew that they wouldn't bring any results, everyone else in my team knew, even PMs knew. Everyone except the manager.
I led a few interns and we built the damn models and got the expected result which is 0% improvement.
What happened next taught me a lot about life. Their was a meeting (which I wasn't a part of) where everyone senior who had their ass on this project came together. They invented a "new metric of success" and asked us to train ML models optimizing for that. We trained the models and obviously since the optimization target changed, we saw improvement.
Then we created charts according to that metric which were obviously good. the PMs showed slides to Upper management. and all was well again.
The best part of the new metric was that the actual results will only be visible years down the line. So we called it a success regardless. I switched my job soon after that.
I learnt from this experience to just say "NO" firmly on doing things I'm not comfortable with. and always keeping a text trail. The manager was kind of an oddball so I never fully got whether he actually knew this from the start or was just plain incompetant.
I don't find this all that similar to the situation in the StackExchange post, tbh.
Yours is a situation where people in control of the goal posts changed said posts to avoid looking incompetent; OP situation is some kind of Trumpy boss directing an employee to outright lie to the government so the company can obtain a contract .
211 comments
[ 2.4 ms ] story [ 215 ms ] threadAnd the lesson learned is to let people write their lies into documents and not do it for them.
If the OP was an engineer, the answer would be lose their license and never work again in the field.
Regulatory bodies in the past were setup ultimately by government legislation (though typically run arms-length or fully independently thereafter), and until government starts actually taking these things seriously no software developer will ever be an "engineer" unless there are actual licensing and standards by authoritative bodies.
If so, the OP is still not an engineer unless he’s writing software for weapons.
In the end, anyone lying to their client about the standards their software adheres to is not undertaking engineering.
I think some introspection may be required here.
Feel free to call yourself a software engineer (or even a software doctor). The titles aren’t controlled and as a result don’t really mean anything.
Another example: the University of Alberta has a software engineering program.
https://www.ualberta.ca/computing-science/research/research-...
Search on Canadian job sites and you will find hundreds of software engineering jobs across Canada (including Alberta).
Other examples of non-PE engineers include stationary engineer (people who operate boilers) and locomotive engineer (people who operate trains). They may have their own regulations, but it is entirely distinct from Professional Engineers.
It's a bit complicated. In Oregon, for example, someone was fined $500 in 2015 for referring to themselves an engineer; although they had an engineering degree, they were not a licensed professional engineer. The state law was invalidated in 2018.
https://ij.org/press-release/oregon-engineer-wins-traffic-li...
The OP squabbling about someone calling themselves a "software engineer" is just being silly. Where it matters in the US, the term "professional engineer" exists for exactly this distinction.
Bold strategy.
For example, a software engineer.
> Stop looking for "gotchas", especially ones that demonstrate a lack of reading comprehension.
The irony is palpable.
There's no irony here sadly. You're just engaging in the worst sort of pedantry: attempting to be pedantic about something you're wrong about.
Software developers have a tendency to call themselves "engineers" based loosely on what they do (software engineering, or at least development) rather than based on them holding an engineering degree and/or professional designation. I'm neither a software dev nor an engineer, and I initially found it confusing when I'd come to a forum like this and see people say "I'm a software engineer" or "I work as a software engineer for X" without actually having any of the aforementioned credentials.
In contrast, I don't think people are so blase about using the term "engineer" casually in other contexts, or even other areas of engineering. Folks calling themselves mechanical engineers, or electrical engineers...actually are engineers. As for the example you gave of a "car doctor", it is evident that people might use the term "doctor" in such a way as to show they're not actually doctors, which is not the case in the present context. I don't see mechanics referring to themselves as just doctors, or describing what they do with cars as medicine.
And, no, this sort of thing didn't exist before the pieces of paper, for obvious reasons.
As I said to another commenter, maybe some introspection is required here.
FWIW, I would consider myself a "real engineer" (because that's exactly the title that was granted to me by my university and country. And there's nothing I ever could have done to become a "more real engineer"). And I could see myself exactly in the same situation if I worked for a bad company. In that case I would have no idea how my title would help me.
The concrete difference is evident in this post and these comments. A real engineer, including a real software engineer, would understand their responsibilities and the question in the OP would be moot.
> In that case I would have no idea how my title would help me.
Well, yes, because for you (unlike the majority of the world) engineer is just a title.
This chucklehead lied and is now panicking, pointing fingers and making excuses. A single class in Ethics could have prevented this.
Even for documents that their name isn't on?
OP didn't write the incorrect answer, OP didn't attach their name to it (as far as I know), and OP didn't send it to the client.
Ethics is a personal choice and if you have strong ethics, refusing to commit fraud is effectively a no-brainer. There’s no difficulty to this decision. Your “boss” at work isn’t actually in charge of your actions, you get to choose how you want to live your life on your own terms. Most managers are incompetent and sleazeballs abound in business. There is effectively no leverage these assholes have over you except continued employment working for asshole liars.
That’s just not a realistic sentiment for most people in most jobs.
The same logic applies here. The customer can sue the employee who falsified the records, but they’re more likely to want to sue the company.
> To be clear I'm not looking for legal advice, just opinions from people who may have been in a similar situation
I'm going to go ahead and say they are going to dig themselves deeper in the hole.
The way I handle this is to ask “how strongly would you be encouraging me to get a lawyer right now?”
My current company won’t let me near customers.
I'll believe youbif you claim they don't. I'm not an American, nor do I work for an American firm. On the other hand, I do find it ironic that a country would tout law and order while not providing the means for individuals to uphold that ideal.
The US government has a brief summary at https://www.usa.gov/wrongful-termination
It's not a fun game to play if you're someone who believes in honesty, or think that you will be accountable. On the other hand, some people seem to believe that the costs outweigh the risks. That's particularly true if most of the blame can be diverted to someone else.
He likely would have a wrongful termination case, depending on state whistleblower statutes.
I truly don’t understand how people work and still have no idea what at will actually means.
First, there's always a good chance nobody on the client side actually cares about this. RFPs tend to come with hundreds of questions, most of which are put in as requirements by completely detached departments to make them feel important, but don't actually matter. If something is important, it can be negotiated. For example, if the pen test is important, you can get the client to agree to sign the contract with a clause that says if they don't get pen tests results by X date the contract is void.
Second, well, what is a pen test, really? If you ever called one of your APIs to validate that your authorization or authentication code works, or you've validated that your AWS security groups are blocking external traffic to your database, congrats, you've performed a "pen test"! The client won't consider that sufficient, of course, but it's a justification for an answer on an RFP, at least. If they want more details, as they do in this case, they can always schedule a follow-up call or ask to see the pen test results document.
This situation reads like an engineer who needs a bit of business/sales experience more than anything. In their discussion with the client, you can start with "we've currently only done in-house penetration testing, but are looking to contract an external vendor to do penetration testing by X date." Assuming you've done any testing, this is a true statement, and the client can determine if that's sufficient.
The real solution to this is to get SOC2/ISO27001 certification, though, which makes a lot of these RFP headaches go away.
Compliance is not security.
For buyers, they often just need to check a box so that they can maintain their own compliance obligations. They probably don’t care all that much about your security if you can check all the boxes.
Pen tests are a joke. You can get perfectly acceptable pen tests (from compliance perspective) done for $2k in less than a week and the testers will try to find a couple things but their goal isn’t to evaluate your app’s security. Their goal is to make you happy with the report you’re paying for (and you won’t be happy if it has a list of 100 security bugs)
Note: I don’t like that this is how compliance works. I wish compliance were more closely tied to security. But that’s simply not reality.
In the process, you're reinforcing all my negative perceptions about the (non-existent) ethics of sales staff.
See the note in the original comment:
> Note: I don’t like that this is how compliance works. I wish compliance were more closely tied to security. But that’s simply not reality.
Ethical people don’t.
The original advice was that such “embellishment” was normal.
My response is that it’s only normal to unethical people.
Your post reads like a salesperson hand-waving away actual situations of consequences in favour of a quick buck. There is literally no embellishment in this scenario, it's outright lying. He didn't say "well we tested security in some things but it wasn't up to a great stabdard", he said "we didn't do any pen testing" and when asked he said the opposite.
lol there's no ambiguity here. I love it when otherwise "street-wise" salespeople get challenged with very obvious scenarios they all of a sudden become postmodern philosophers.
"I mean, what does it even mean to COMMIT fraud? I mean, did I really "commit" to it if I did it once but gave it up after? Hmmm? Ever ask yourself these deep kinds of questions?"
Give me a break. Some sales people are so deep into a near-sociopathic lifestyle of "sales" that they are just pathological liars in the most literal sense. They don't even see themselves weaving deception.
I conjecture they _did_ do something that could reasonably be called pen testing and didn’t realize it.
GP even gives some examples: testing authentication code, checking security group configurations, and testing API calls all counts as rudimentary pen testing.
What are you even talking about?
You've completely fabricated entire activities that the OP never even mentioned.
Where’s my lie that I’m justifying?
Also, sorry but checking your security group is setup correctly is not what any reasonable person would call a pen test.
You may get away with that argument in a court (ianal), if you hadn't repeatedly stated you didn't believe it yourself.
If a client tells you what they need, you don't get to decide what the client needs.
The sort of "business/sales" you're referring to may work well for someone not interested in building long-term relationships for repeat customers, but you're describing the exact type of fratboy used car salesman that I avoid doing business with whenever possible.
“We did pen testing at launch” could include some in house and very rudimentary validation of the correctness of any code related to security.
It doesn't matter if the client doesn't really care. That's just a rationalization, plain and simple. No different in kind from, "well the bank teller doesn't really care if I rob the bank because it's not their money, and the money is insured anyway, so is it really even robbery?" Only different in degree (to be fair, an enormous degree; just to illustrate).
A pen test is a real thing. "What is a pen test really?" is another rationalization. There may be many flavors of pen test, but fabrications are fabrications. One of the most important part of pen tests is that they are external. It's like saying, "what is an audit really? We have accountants and they check our books for anomalies." Just doing your job as an engineer and looking for bugs is not a pen test. In the same way that being careful and rereading your own changes is not a code review.
This reads up me like an engineer committed to their work. I think they should be proud of themselves for not going along with this. I think the problem is that management isn't doing their job properly. They're cutting corners because they fucked up and didn't make sure a pen test happened or listen to their technical people. This is a strategic necessity for the company that would have been so easy to accomplish and should have been foreseen. They're trying to rule by dictate and it could destroy their career if this ends up in court. Even now, they could get some kind of rush job done - but no, they choose to endanger the company and the people in it instead.
Imagine being a lawyer or a paralegal and getting your hands on those emails in discovery. They didn't only demand their engineer lie, they did it in writing. The engineer is not the problem here.
I agree, but if the RFP question was phrased "have you done penetration testing?" then that leaves a lot of room for embellishment. If the question is "do you have SOC2 certification?" and you answer "yes" untruthfully, then that is a lie. If they ask for the SOC2 or pentest report and you give them a falsified document, that's where you're (probably) committing fraud.
> One of the most important part of pen tests is that they are external.
AWS/Google/etc have internal security teams doing their pen tests, so no, this isn't true.
> Just doing your job as an engineer and looking for bugs is not a pen test.
What about an engineer spending an afternoon running ZAP[0]?
> It's like saying, "what is an audit really? We have accountants and they check our books for anomalies."
Yeah, which is why you don't just ask a company "do you keep track of your finances?" if you're investing in them, you request external auditors.
[0] https://www.zaproxy.org/
They might have the scale to have internal pentesters nearly as isolated as external pentesters. A ten person startup definitely does not.
Regardless of what tools you use, an internal pen test isn't the same. Do internal accountants use different tools than KPMG? Probably not.
The RFP likely did contain more precise language.
I encourage you to reflect on your position. It's very odd to me that your attitude is, "if the customer didn't want to be lied to, they should've tied me down better, because I'm like a djinni who will twist your words against you if there's the slightest ambiguity." I understand the sentiment that RFPs and contracts need to be locked down. I don't understand the sentiment of, "they had it coming."
It isn’t the same as an “official” pen test for a 10 person company with non-specialists, sure. But the document, to our knowledge, didn’t ask if they had some specific form of pen test.
> because I'm like a djinni who will twist your words against you if there's the slightest ambiguity.
They aren’t twisting anything. If a quick and informal pen test meets their definition then they should be more specific.
A pen test’s goal is to find security bugs by posing as an attacker. There is no requirement that it is systemic, formally documented, performed by a “security expert,” or that it is done by any external party.
Those are all desirable _properties_ of a pen test that may be required for various certifications, but an engineer can absolutely conduct a quick and informal pen test at any time.
I am reminded that when I bought a house in my twenties, at the scheduled closing there was some detail that was incorrect. There was a line in the document where we had to say something like "Yes, x paper is in hand." In reality, I think we were still waiting for it.
And when I was like "But this isn't true. Shouldn't we wait until we have this?" the banker said "That's your call."
So it was lie about it because the paperwork wasn't going to go through if it said anything other than "Why, yes, we absolutely have that!" or delay closing on the house, which could mean losing it. So I signed.
And it never came up again. No one ever called and said "But what about blah?"
If you are knowledgeable about the bureaucratic process, you may know which check boxes must be checked off, true or not, to file it and in most cases don't actually matter. If you aren't knowledgeable, you are seriously gambling.
So in reality, this kind of thing does go on, like it or not. And if you are too pedantic, you can't get things done. Things will grind to a halt while you dot every I and cross every T.
In your analogy it would be as if the seller ticket the box saying that they’ve disclosed all deficiencies to you despite not having done so, to not jeopardize your willingness to close.
I think TFA is a case where the OP messed up. He shouldn't have lied to appease his boss and it seems he wasn't clear about that at the time.
He didn't seem to feel he was lying. He told his boss X then did as he was told. And I think this sort of mental disconnect is common and, among other things, leads to problematic choices for how to relate online.
In his mind, while filling out the papers, what he said was part of this larger conversation and his boss knew what he really believed to be true. The problem is that putting it in writing means other people can read it and they aren't part of this larger conversation.
I was clear that signing the papers could come back to bite me but based on the banker's remark inferred he wasn't concerned and he felt rescheduling was a bigger problem. Odds are good the item showed up soon after and was added to the file and said the "right" thing, so didn't create problems.
I still think what I said elsewhere: OP should probably be planning his exit. But I do also understand why some people have sympathy for his boss and feel like playing devil's advocate here.
There are some comments here saying stuff like "these compliance forms are ridiculous and are often just bureaucratic nonsense" and you see comments advocating for playing dumb and answering in bad faith and there you go.
I see there being a bit of an attitude of "everyone is doing it" to justify also doing it just to compete because you're at a disadvantage if you don't. And that's not entirely wrong but it sucks and I personally will avoid competing in that way. Probably that means not much sales in my career. Or science, but that's another topic...
Living in a world where the security of critical software is based on a good faith "trust me bro" doesn't sound ideal.
I actually worry that this mindset of adversarial relationships make it MORE likely for your identity to be stolen.
I'm not sure why having standards that should be met around software testing would make my data less secure. Weve seen leak after leak and so frequently it's some basic issue caused by massive incompetence, or more often, by decision makers cutting corners to make a quick profit.
Were we talking some light fudging, the director would have spent time explaining what the customer is asking for and worked with them to determine whether what they do supports a statement of “we do security testing.”
And if they can’t support the claim? Well, the director’s response will tell you if they’re an honest broker or not.
However, the director also does not seem politic enough to maintain plausible deniability, if they're saying "what the fuck, just sign your name uncritically on this statement" vs guiding them towards a long, detailed, qualified, technically-truthful answer. ("We did these things on these dates" and leave it up to client to evaluate whether its sufficient/is really pen testing) Which the client would require anyway if the process moves forward. The entire situation just seems like a shitshow.
If the request wasn't specific, you may be able to get away with arguing that way in a court, who knows.
When you tell the director it is not true, author a document that says otherwise, and then document the whole thing on the internet, by that point it is a lie not embilishment, and I'd be worried about fraud myself.
Testing security groups, verifying auth(z/n), and testing APIs is like 90% of a penetration test.
1/ Normally lying in bids can get your company barred from competing in bids for several years, if these are financed by something like the World Bank, the disqualification can be extended to other geographies.
2/ Your director likely has DnO insurance.
3/ Whose signature is at the bottom is the bid?
4/ Tell the truth, or at least, don’t lie.
Disclaimer: not a lawyer.
At a 10 person startup? No, their director is most likely a 30-year-old sales rep with an inflated title...
If your employer asks you to do something and there is no moral imperative to to what is being asked, even if you do not think it is wise to do it, just do it.
If your employer asks you to do something that has some moral imperative, you need to ask yourself if doing this makes your moral standards, are you willing to compromise your moral standards or will you stand upright and be the man and face the consequences from your employer.
Either way, you will face consequences and if you fail your own moral standards you have to live with that.
Just leave that out. No point in saying it other than to make more trouble and work for yourself.
Most compliance frameworks like SOC 2 have a requirement for an annual pen test, so if the pen test was over a year old it wouldn't matter anyway. Best approach would just be to talk to the director and say something along the lines of "Our next pentest is scheduled for date XYZ and we can send you those results upon completion".
People who tend to freak out in situations like these where "let's lie" is their go-to, when an honest approach is possible that will likely get the job done, scare me.
-
My advice: get on the zoom call and when asked about the pen test, repeat something like “we have a security policy in place that obligates us to do a penetration testing at least annually”
(Assuming you have such a policy. If you don’t, then you and your company is out of your league selling to governments)
Assuming you have a basic set of security policies (almost all of which will say you’ll do pen tests annually), just repeat the line like “we have a security policy in place that obligates us to do a penetration testing at least annually”
And if you’re asked again more specifically whether you’ve done one in the past year, don’t answer directly and repeat the quote again.
The key here is do say the maximum amount of (positive for your company) truthful information and deflect or redirect away from questions where the truth would hurt the sale. Engineers often have trouble with this because it’s most engineers have a tendency to want to answer questions directly and literally.
And, make sure the sales rep is in the call. If the client backs you in a corner and you don’t know how to redirect or deflect, then you hand the baton to the sales guy.
Edit: Or, just do a freaking pen test. You can get one done in less than 2 weeks for less than $2k.
But really the right thing to do is to have a conversation with the director where you tell him that you want to support the company as well as possible, but saying that a pen test happened is not something you can do. You want the director to feel that you are reasonable and supportive, but realize that they have to find someone else to claim that the pen test occurred.
If you’ve read questionnaires from Jira, AWS, etc, you’ll notice their answers rarely answer the questions directly.
Google Jira’s public CAIQ for an example.
That’s blatantly unethical, if not illegal.
Compliance people (on the other end of the line) actually like this in many cases… literal answers can make their jobs harder than politically worded (but not untruthful) answers.
1. A false statement of a material fact is made
2. Knowledge on the part of the defendant that the statement is untrue
3. Intent on the part of the defendant to deceive the alleged victim
4. Justifiable reliance by the alleged victim on the statement
5. Injury to the alleged victim as a result
So if the local government is hacked because they thought the software provided was pen tested and it actually wasn't, congratulations, you've hit fraud bingo.
Important disclaimer: IANAL
[1]: https://legal-dictionary.thefreedictionary.com/Fraud
Edit: Formatting and disclaimer
OP, get a pen test scheduled and tell the client, “You know, we’ve had a lot of changes since we rolled out. Since you asked, we felt it was best to get a current pen test to reflect our present state.”
No lies (just a slight deception with the truth) and you get a legit pen test your client can rely on.
Lying and fraud aren't the same, which is the author's concern. Lying incurs a social cost. Fraud incurs both social and legal costs.
If you present it as true. People write untrue documents all the time and show them to people that know they are untrue.
You could be right but do you want to take a chance when your livelihood/freedom is on the line?
A determination to perform a particular act or to act in a particular manner for a specific reason; an aim or design; a resolution to use a certain means to reach an end.
It doesn't matter if the OP wanted to deceive the client or was pressured to do it, they still intended to do it. Again, IANAL, but people are held liable for their illegal actions all the time, even if they were pressured. Also, think about the kind of pressure this manager is applying relative to the (potentially) fraudulent thing they're asking the OP to do. If the manager was holding their family hostage, by all means, lie about the pen test. I know it's easy to advise the OP to "just quit", but not everyone has the luxury of doing that for personal or financial reasons. That being said, I'd rather be out of work and struggling instead of on the hook for fraud.
[1]: https://legal-dictionary.thefreedictionary.com/intent
The world only gets better if people do the right thing whenever possible. The right thing here is not to assist with immoral behavior and deceit.
Not going into gorey details. Suffice to say, I will not lie. I will not engage in the calling of a spade anything other than what it is either. Results and actions speak louder than words, and with mine I truly seek to never through my actions to make the world worse.
Still find jobs. Still build things. Still help worthwhile projects get pff the ground. Gotten pretty good at it too. Still not afraid to walk out the door the minute things begin smelling of fish.
It was scary. I was a pretty brand-new, low-level manager, at the time.
But I also live a life of rigorous Integrity, and will resign, instead of doing unethical stuff.
I won't go into detail, as I don't want to cause trouble, even in reflection.
But I was not always good. I learned my lesson, from "going along," years earlier, at a defense contractor.
If they don’t fire you, you will still need to look for another job.
The larger problem:
The boss doesn't have technical expertise and will not defer to the judgment of the person who does, lacks ethics and is not going to stop their crap. It will only stop if someone else stops them, probably via tossing them in jail at some point.
Assuming good faith, honesty and a reasonable degree of accuracy on the part of the OP, looks to me like he should probably plan his exit. Not necessarily drop his resignation today, but start making plans.
It's absolutely true that if he ups his game, he may find things improve and he can work with this person effectively. Or he may not.
Well… was it before you joined the company?
You tell them in that case that was before your time and you quote your boss.
I’m not sure why you replied no to begin with, if you didn’t know. You should have asked your boss about it first and take his word.
During the zoom call, you can simply reply that your boss told you so and ask him to produce the old report if it’s still in his possession.
Anyways I think these tests (iso 27001) should be held regularly to mean anything. Being compliant in 2021 doesn’t hold the same “level of guarantee” in 2023.
And that last part is up to your client’s policy.
Do they need a recent third party audit or whatever… you should ask them questions and check with your boss if it’s worth the spending.
> I, truthfully, wrote that we had never pen tested our software. ... They provided me with an answer to the pen testing question that essentially said "we did pen testing when we launched, but haven't done it since". I made sure they were aware that this wasn't true.
Three years into a job as the most senior technical employee, I'd expect him to know if there were any pen tests done before he joined. It sounds to me like this is a pretty garbage company, where the one developer with a clue feels like he has no agency. I believe him if he says they didn't do any pen testing before he was there.
Eh, what? OP knew what sales was going to do with that email. Having sales wordsmith an answer is fine, but if you think it's factually inaccurate, don't send it back to them filled out in the form.
It's actually not clear to me if the director is also their boss. It's written as if they are but not spelled out anywhere I can see.
Cover your ass with clear paper trail. And even then, I would prefer losing the deal getting fired. Whistleblowing is really the last resort nuclear option, IMO.
Now, if the boss is committed to outright fraud, this is still going to be a problem, but it lets you separate out that case and puts you in the best armed position if you need to go above or around them in the org on the issue, and does as much as you can to avoid the firm committing fraud and to avoid yourself being an active participant if that happens.
In this case, the whole company has around 10 employees, so I assume there isn't much in the way of management. I understood "director" to be the big boss, maybe sharing his position with one other.
if you take a more modern view that the 'software engineer' is mostly about marketing and sales, even inside your company, then sure. its all spin and half truth. but that doesn't have anything to do with.. you know, building stuff
You could elaborate that the initial pen test was one of those self trigger ones and not an external or "professional" type. Hence you do not have any documents regarding it anymore. Although not ethical the company would see this as not a acceptable metric and dismiss it when evaluating. Your written statement although a lie would not be considered fraud if it didn't get considered in evaluation. I am saying basically make your written statement worthless.
Eitherway you need to make it absolutely clear to the CEO that is as far as you will go an he may as well hire an actor to represent engineering if he wants you to lie as the actor would know as much as you about a fictional pen test.
Unless they specifically claimed compliance with some standard, then there is no single and universally recognized Pen Test definition.
I was being pushed to release a small feature during the holiday season. While we were on track to release it, the CTO announced that we should not release anything during the holidays so that customers can take a breather and that our company is not responsible for their failures. So, we waited to roll it out until after the holiday since the CTO himself asked us to exercise caution.
Come review time, my manager berates me for not releasing fast and for "constantly missing deadlines". I asked why the CTO is asking us to exercise caution and why he is asking us to push. I asked what would happen if there were to be an outage during the holidays.
This infuriated the manager and he had it for me for a long time. And he was only furious because I caught his BS. The only reason he wanted me to go faster was to make himself look good. But if something were to fail and if the CTO checked, I was to be the fall guy.
Aside from the "all managers are not like this" trope, can anyone tell me why engineers should trust such managers when they play such games with us?
Whether this is fraud depends on your jurisdiction, but the fact that you're even asking the question probably means there are some uncomfortable conversations in your future.
I'd say do one of two things:
1. Attend the Zoom and bring the original copy of the document you produced. Explain that you had nothing to do with any alterations, and that there has never been pen-testing of any kind. Then let them fire you. Again, save every piece of correspondence in storage that is under your control -- personal cloud, printed copies in your basement, whatever.
2. Resign effective immediately and cite that you were asked to make false statements to a client. Then file for unemployment and dare them to contest it.
I was working at a Big Startup, on ML side of things. All the senior engineers in my team left and me and a few others became the senior-most engineers (with <1 YOE). The models we built were contributing 100M$+ to the top line of the business.
My then manager tasked to do some data analysis to determine whether building a "new nonsensical ML Model" was the right way forward. I like a diligent bee crunched the data and came to the conclusion that "we shouldn't build the new model".
I showed the results to my manager who laughed and told me to do it again. It's also important to note here that my team lead and old manager had left the company. This person was completely new and a senior manager.
I in my naive mind (and oblivious to politics) thought he's telling me to say that the results "do make sense". and that's what I said. We even presented the results to product people who gave us go ahead. Since we were doing such pivotal work, even the company's CTO was involved and tracking our progress.
The next few months were one of the most painful times of my life. Immediately after the meeting, we were tasked to actually build those models. I knew that they wouldn't bring any results, everyone else in my team knew, even PMs knew. Everyone except the manager.
I led a few interns and we built the damn models and got the expected result which is 0% improvement.
What happened next taught me a lot about life. Their was a meeting (which I wasn't a part of) where everyone senior who had their ass on this project came together. They invented a "new metric of success" and asked us to train ML models optimizing for that. We trained the models and obviously since the optimization target changed, we saw improvement.
Then we created charts according to that metric which were obviously good. the PMs showed slides to Upper management. and all was well again.
The best part of the new metric was that the actual results will only be visible years down the line. So we called it a success regardless. I switched my job soon after that.
I learnt from this experience to just say "NO" firmly on doing things I'm not comfortable with. and always keeping a text trail. The manager was kind of an oddball so I never fully got whether he actually knew this from the start or was just plain incompetant.
Yours is a situation where people in control of the goal posts changed said posts to avoid looking incompetent; OP situation is some kind of Trumpy boss directing an employee to outright lie to the government so the company can obtain a contract .