Security Slouch

There are 3 big potential changes that are to be made to the applications for next year: must have changes to make the programs work, desired modification that the customer would like, and changes to meet security policies. The work surrounding the must have changes are not negotiable. We must make these changes for the program to work. The desired modifications are extra and are scheduled separately. It looks like we are going to do these mods for next year. The third category is security changes to meet the security policies of our customer. The client has given the authorization to charge extra to make these changes. However our team is fully engaged. So our management informed the customer that we would try to get these changes in some time. But that time might be a long time in the future.

This is so typical of software development. The security policies have been in place for a long time at our customer’s organization. The prior contractor that did the maintenance for this system implemented some but not all security changes. I guess they dragged their feet. Now it seems that my company is doing the same thing. It is not that our company is doing this intentionally. They are just trying to ensure that we do not sign up for something that we cannot deliver. I am sure we could exchange some of the new features for some of the security based changes. But the end users do not care as much for the security changes. They want the new stuff they have requested.

This mentality is no good. I suppose this is how many systems go down the slippery path and find out that their system was hacked. There is a lot of documentation back and forth based on the decisions made for what we will do this year. So I think our company has set themselves up in a good light legally. But everything will get crazy if any of the security changes that were supposed to be made get skipped, and the system gets compromised. Our client deals with some highly sensitive data. I bet it would be a major event if the system got hacked or anything.

When are we going to learn to give the important items the attention they are due?