What most likely happened is, the developer setting it up did have it locked down. But then some upper management decree came down and said, these people/department needs to be able to access this data however they please. The developer probably told them, ok, here is how we need to set that up. The manager said, no, too hard. Just let them call it directly, don't encrypt it, don't check for authorization, make it "easy for them to get to"...
And here we are today.
If I were a developer in that position, after pushing back with nothing coming from it. You should do what doctors do. Tell whoever is ordering you to do X, that you need it in writing and coming from him personally. Other than that, you don't have many options as a developer. Your other option is to be fired, and they'll bring in the next guy.
So ultimately, there needs to be accountability, not just on developers, but the business as a whole. A developer should have the ability to raise a flag to someone without recourse.
Yes, now you get even a warning for opening the bucket but I bet you someone googled the answer and was like 'fuck it, too much a headache to set up IAM for my app.'
Cshelton|7 years ago
And here we are today.
If I were a developer in that position, after pushing back with nothing coming from it. You should do what doctors do. Tell whoever is ordering you to do X, that you need it in writing and coming from him personally. Other than that, you don't have many options as a developer. Your other option is to be fired, and they'll bring in the next guy.
So ultimately, there needs to be accountability, not just on developers, but the business as a whole. A developer should have the ability to raise a flag to someone without recourse.
PretzelFisch|7 years ago
WrtCdEvrydy|7 years ago