The big mistake here was editing an engineering statement to say something false.
If you're an honest person, assume that your job under that director (and probably at the company entirely) was over as soon as they asked you to make a fraudulent engineering statement. Even if they backpedaled when you resisted, you're not a team player with them, and you're a threat to someone very dishonest.
At that point, options:
* just leave;
* consult a labor attorney (you can get a free initial consultation); or
* go above the director's head, probably (in a small company) to the owner/CEO, whatever attorney is on staff or they retain, or HR (though, you're still probably over at the company, even though they'll diplomatically pretend that you're not, because you are in 100% corporate butt-covering territory now, in a place that puts someone very dishonest as a director).
> though, you're still probably over at the company, even though they'll diplomatically pretend that you're not
If you're professional about it (be factual, straightforward, and don't do a burn-the-world email blast), I wouldn't assume this to be true. Sometimes companies simply make bad high-level hires and are happy about exposing and terminating them.
Or sometimes not. But the vast majority of CEOs want to know when their direct reports are lying to them and would be happy about this outreach.
I've heard of that happening. An engineer somehow realized that top leadership wasn't getting an accurate story about the state of a bet-the-company engineering project, so the engineer went over the head of the VP (I don't know to whom). Turned out that upper leadership felt the VP had been lying to the board. Presumably because of where that left the business, the majority of employees were hit by a series of layoffs, but the engineer who'd blown the whistle to execs was still there, one of the last people, presumably very trusted/favored.
Though I've heard a lot more stories of the little people being considered disposable, and occasionally kill-the-messenger. :)
How do you even TRUST the leadership and that point?
I've been in this situation before, and the ideas in my head are basically paranoia. How do I trust that my manager isn't going to throw me under the bus in the next project? How would I EVEN KNOW?
One thing that I would just highlight with your options: be extra sure to save receipts for everything - that means screenshots, even with an external camera if you're worried about corporate spyware.
If you have everything well-documented, the likeliest outcomes look pretty good for you:
1. If you bring up the issue to HR or to a higher-level exec and they are competent, they will immediately either address the problem with the director or fire them for cause.
2. If you bring up the issue and they are shitty and try to fire you, it's honestly like free money for you if you have good evidence. If they're not complete idiots they'll settle in a heartbeat because their number one priority will be damage control.
Do not lie to the government, even if you are following orders. In the US, federal and state law differ, but most have some variant of the federal false claims statute: https://www.law.cornell.edu/uscode/text/18/287
> Whoever makes or presents to any person or officer in the civil, military, or naval service of the United States, or to any department or agency thereof, any claim upon or against the United States, or any department or agency thereof, knowing such claim to be false, fictitious, or fraudulent, shall be imprisoned not more than five years and shall be subject to a fine in the amount provided in this title.
This has been interpreted very broadly to encompass pretty much anything you submit to the government in support of the government paying you or your company money.
Probably nobody will notice, and you probably won’t get prosecuted. But this stuff comes to light all the time if something goes sideways, or if the government is investigating something else.
If the boss said "put that we pen tested" couldn't op argue that he was answering to the best of his knowledge given the information the director gave him. As long as he had the email receipts, or would there be an argument that he should have known differently and shouldn't have replied on the other directors assertion that it had been pen tested.
> If the boss said "put that we pen tested" couldn't op argue that he was answering to the best of his knowledge given the information the director gave him.
No.
If the OP was not in a position yo know if they had pen tested, and the director said that they had, maybe, but in this case AFAICT the OP was in a position to know, the director was not except through the OP, and the director dictated a statement that was “more political”, not a correction of fact, that the OP knew to be inaccurate, and the OP dutifully put it into the document intended for the customer and while in parallel repeating concerns about its truthfulness to the director.
I think this is the way to go as well. He might have simply said he wasn't at the firm when the pentesting was carried out and he would search for the documentation. He should have sent emails to his managers about where he could obtain the initial pentesting documentation.
> "we did pen testing when we launched, but haven't done it since".
Well… was it before you joined the company?
You tell them in that case that was before your time and you quote your boss.
I’m not sure why you replied no to begin with, if you didn’t know. You should have asked your boss about it first and take his word.
During the zoom call, you can simply reply that your boss told you so and ask him to produce the old report if it’s still in his possession.
Anyways I think these tests (iso 27001) should be held regularly to mean anything.
Being compliant in 2021 doesn’t hold the same “level of guarantee” in 2023.
And that last part is up to your client’s policy.
Do they need a recent third party audit or whatever… you should ask them questions and check with your boss if it’s worth the spending.
Nowhere does the author say they were unsure whether it had happened:
> I, truthfully, wrote that we had never pen tested our software. ... They provided me with an answer to the pen testing question that essentially said "we did pen testing when we launched, but haven't done it since". I made sure they were aware that this wasn't true.
Three years into a job as the most senior technical employee, I'd expect him to know if there were any pen tests done before he joined. It sounds to me like this is a pretty garbage company, where the one developer with a clue feels like he has no agency. I believe him if he says they didn't do any pen testing before he was there.
If I was going to get fired it’d be for telling the truth. Saying no is allowed. If they fire you for telling the truth and there is evidence to support your position then sue the fuck out of them for unfair dismissal.
Since your comment references sueing, I’m going to assume you’re in the US, where almost all employment is “at will”. They can dismiss you for any reason as long at it’s not a protected one. Telling the truth and being a jerk is not a protected status, so you won’t be getting anywhere with that lawsuit.
In the US retaliation by an employer for an employee reporting inappropriate or unlawful conduct to a superior is unlawful. This is a protection granted at the federal level.
The corporations have done a good job convincing most people that “at will” means they can let you go at any time for any reason. They can’t. But we’re in Get A Lawyer territory.
How does that work when the employer puts you in a position where you must provide an answer, the expected answer would involve commiting a crime, and the only alternative is to tell the truth? Whether we like it or not, employers have a lot of leverage over employees. Arguably, it is one of the reasons why employees are paid disproportionately less. Such protections should exist.
I'll believe youbif you claim they don't. I'm not an American, nor do I work for an American firm. On the other hand, I do find it ironic that a country would tout law and order while not providing the means for individuals to uphold that ideal.
If you're caught, yes it is easier dealing with the truth. On the otherhand, I doubt that the boss thought they would be called out on the claim and I doubt they think they will be called out on the verification of the 'evidence'. After all, it sounds like at least part of the correspondence was in writing, so it could come back on them.
It's not a fun game to play if you're someone who believes in honesty, or think that you will be accountable. On the other hand, some people seem to believe that the costs outweigh the risks. That's particularly true if most of the blame can be diverted to someone else.
People who ask you to do crimes against others will eventually do crimes against you. They obviously don’t have ethics and will just do what’s convenient for THEM. Don’t work for people like that.
I've broken my habit of retreating from customers. After all, if you don't know their pain, how are you to be an effective yardstick of Quality? If people try to keep you away from the customers/users, you beeline to the customers
I think your'e overemphasising how bad it is. I worked for quite some time as a computer tech fixing problems on-site and seeing exactly what issues customers face. I didn't come across too many "bad" clients. Now maybe this is because most customers could not call me directly, they had to log a call first but most people realise that your work is just as important as theirs is.
This is IMHO why programming/IT should be treated as a "real Engineering" in some cases, or at least have one of the devs (head of the project?) have a proper degree.
I studied a different Engineering, and in multiple courses the emphasis was in the actual approval/signing. The only practical difference between a technician and the Engineer in many cases was that the Engineer could actually sign off the project (or not). And thus it was made very clear that signing a document like in this Workplace question would be a big deal, since the responsibility was theirs to make sure things were compliant.
My first real software engineering job came more from that tradition, where our division started as a startup of EEs and CEs, serving mil/aerospace/datacomm. So I started as a Software Technician I (and there was also a Technician II, before Engineer I). There were signoff matrices, etc.
People were scrappy, making ambitious new things happen, but honest.
Sheltered by lucky upbringing and early career experiences, I was shocked the first time I encountered someone in industry doing something dishonest.
In the current "tech" industry, I'm no longer shocked, just frequently disappointed in what I see throughout much of the industry.
I recently realized that some pretty ordinary tech ethics today is what, decades ago, was the stereotype of an "MBA". It was also a stereotype that "engineers" didn't trust "business people". Today, seems there's less cultural distinction between the groups, at least the stereotypes.
The whole reason that we have to go out of our way to promulgate and adhere to ethics is because otherwise ethics will be abandoned in the race to the bottom.
It's long past time that "software engineer" became a protected term in the US, as unpopular as that may be among resume-padders.
Speaking as someone with a lot of paper credentials, who'd personally benefit from licensing software engineers... I think we're past the point that'd end up useful.
For example, imagine FAANG lobbyists weighing in on what the criteria for a licensed software engineer should be. I think it'd probably end up a farce.
OTOH, hold companies fully responsible for, say, products/services being secure... no butt-covering theatre, like saying you have processes, and that producing so much vulnerabilities that you need weekly security updates is somehow a good thing... and watch a platform bloodbath, and a scramble to figure out how to work with integrity.
> And thus it was made very clear that signing a document like in this Workplace question would be a big deal, since the responsibility was theirs to make sure things were compliant.
It sounds like OP would have refused to sign this document if asked.
So is that good for OP? Or is this a situation where not signing doesn't matter?
I was in a similar position once, but it was an audit questionnaire about our usage of software - we only had one production instance licensed, not the backup instance or development instances. My director wanted me to state that we only used the one instance, I refused and said I'd leave the pertinent sections blank (for the director to fill in), but I wasn't going to lie about our usage.
That's when I started looking seriously for a new job, and had left the company within a month, a few months later they went out of business after they had to pay hundreds of thousands of dollars in back licensing fees since the vendor had evidence that their software product had been used beyond the single production instance.
I think if they'd been upfront about the usage, the company would have negotiated a fair license fee going forward without pushing for past usage to be paid too.
I think this is a form of boilerplate for acknowledging that no lawyer will want to give you legal advice without a more detailed phone call, and the acknowledgement that a non-lawyer can’t really offer legal advice.
The way I handle this is to ask “how strongly would you be encouraging me to get a lawyer right now?”
I'd think the same. That's why in some law forums you are expected to write your questions in the manner of "suppose the hypothetical case that person X did Y, ..." instead of "I did Y, ...". So people are only talking about a theoretical case, and not give actual legal advice.
I would go with "I was not present for any penetration testing at launch, and I'm unable to find any reports related to it. However, penetration testing done that long ago would have little current value anyway. What I will do is talk to my leaders and get regular penetration testing scheduled, and get that schedule to you asap".
> However, penetration testing done that long ago would have little current value anyway. What I will do is talk to my leaders and get regular penetration testing scheduled, and get that schedule to you asap".
Just leave that out. No point in saying it other than to make more trouble and work for yourself.
Yes, the idea was to make a commitment that would then be hard to avoid. They can fire you I guess, but it's a reasonable course of action to get some pen testing in place.
I wouldn't put that t exactly like that, but I would talk to the director and put something similar.
Most compliance frameworks like SOC 2 have a requirement for an annual pen test, so if the pen test was over a year old it wouldn't matter anyway. Best approach would just be to talk to the director and say something along the lines of "Our next pentest is scheduled for date XYZ and we can send you those results upon completion".
People who tend to freak out in situations like these where "let's lie" is their go-to, when an honest approach is possible that will likely get the job done, scare me.
The OP isn't an engineer, but this really highlights the difference between real engineers and software developers who like to pretend they're engineering.
If the OP was an engineer, the answer would be lose their license and never work again in the field.
This sort of snobbery is pretty silly. Do you think engineers didn't exist throughout all of history until someone decided to start handing out pieces of paper?
Writing a piece of code after a bootcamp isn’t engineering, and being the technical guy will not make you an engineer either, for starters, you learn engineering ethics in the engineering disciplines, and he (or she) would know what to do in that situation. What OP pulled will rarely ever happen in civil/electrical engineering because they can report that and revoke the company license.
In 2023, if you call yourself a "car doctor" or "software doctor" nobody will bat an eye. If you call yourself a doctor in a way that implies that you have a medical license, people will get upset. If you call yourself an engineer in a way that implies that you have a relevant license, people will similarly be upset.
The OP squabbling about someone calling themselves a "software engineer" is just being silly. Where it matters in the US, the term "professional engineer" exists for exactly this distinction.
So your argument is that a software developer can use the term software engineer because no reasonable person would assume that they actually are an engineer?
Sigh, no. There's many types of engineers, and if you imply that you're a type of engineer you're not, people will get upset. Stop looking for "gotchas", especially ones that demonstrate a lack of reading comprehension.
Without throwing around insults that are out of place on HN, I think the GP's position is fairly straightforward, at least as I understand it.
Software developers have a tendency to call themselves "engineers" based loosely on what they do (software engineering, or at least development) rather than based on them holding an engineering degree and/or professional designation. I'm neither a software dev nor an engineer, and I initially found it confusing when I'd come to a forum like this and see people say "I'm a software engineer" or "I work as a software engineer for X" without actually having any of the aforementioned credentials.
In contrast, I don't think people are so blase about using the term "engineer" casually in other contexts, or even other areas of engineering. Folks calling themselves mechanical engineers, or electrical engineers...actually are engineers. As for the example you gave of a "car doctor", it is evident that people might use the term "doctor" in such a way as to show they're not actually doctors, which is not the case in the present context. I don't see mechanics referring to themselves as just doctors, or describing what they do with cars as medicine.
The OP is only saying that if he had the piece of paper, he would know that the piece of paper would almost automatically be retracted as soon as he acted like this.
And, no, this sort of thing didn't exist before the pieces of paper, for obvious reasons.
Yeah sorry, it's silly. Use the term "licensed engineer" or something. Don't come up with new definitions for words and then get offended when people point out that you're being silly.
In North America at least, the term is Professional Engineer. PEs are generally licensed in a way similar to doctors and lawyers. At one point there was a push to professionalize software engineers, but it never got very far.
Feel free to call yourself a software engineer (or even a software doctor). The titles aren’t controlled and as a result don’t really mean anything.
I believe that in Canada, and certainly in Alberta, the titles are very much controlled. The regulatory group APEGA has a Professional Engineer designation for software engineers as well
Context matters. Even in Alberta, the term “software engineer” doesn’t mean anything. Last time I looked into this, Quebec was trying the hardest to control usage and they actually took Microsoft to court for their MCSE title.
Another example: the University of Alberta has a software engineering program.
Search on Canadian job sites and you will find hundreds of software engineering jobs across Canada (including Alberta).
Other examples of non-PE engineers include stationary engineer (people who operate boilers) and locomotive engineer (people who operate trains). They may have their own regulations, but it is entirely distinct from Professional Engineers.
It's a bit complicated. In Oregon, for example, someone was fined $500 in 2015 for referring to themselves an engineer; although they had an engineering degree, they were not a licensed professional engineer. The state law was invalidated in 2018.
I think you don't understand what you just quoted. But yes, you should introspect about why you're being silly about trying to redefine a word and then getting offended over it.
What difference would it make? Any "real engineer" (of whatever you definition you might have of that) will also find themselves being in a shitty position in this situation, which is somewhere between getting fired, voluntarily leaving, living with ethic concerns, being a whistleblower, or finding a compromise that isn't great but maybe acceptable for them.
FWIW, I would consider myself a "real engineer" (because that's exactly the title that was granted to me by my university and country. And there's nothing I ever could have done to become a "more real engineer"). And I could see myself exactly in the same situation if I worked for a bad company. In that case I would have no idea how my title would help me.
Real engineers accept the moral and ethical responsibilities associated with the title, and accept the consequences of failing to do so.
The concrete difference is evident in this post and these comments. A real engineer, including a real software engineer, would understand their responsibilities and the question in the OP would be moot.
> In that case I would have no idea how my title would help me.
Well, yes, because for you (unlike the majority of the world) engineer is just a title.
Exactly. The situation in the the article would not have happened if the OP had the ethical foundation that comes with actual Engineering education and training. He would have simply refused to lie because 1. Lying is wrong and 2. It would put his future employability in question.
This chucklehead lied and is now panicking, pointing fingers and making excuses. A single class in Ethics could have prevented this.
Of course they're not an engineer. They're writing software, not feeding and managing a boiler hurtling down the tracks. Not sure you need a license to do that either.
Yeah unfortunately you can chalk this up to the early 90s obsession with libertarianism and anti-regulation. Establishing strong regulatory bodies would be and continues to be antithetical to the Silicon Valley Ayn Randian obsessed cult of free marketers.
Regulatory bodies in the past were setup ultimately by government legislation (though typically run arms-length or fully independently thereafter), and until government starts actually taking these things seriously no software developer will ever be an "engineer" unless there are actual licensing and standards by authoritative bodies.
Yes. This. In my past in situations like this I have given the sales team the line “I can answer truthfully or you can write your own answer to the customer.”
Sounds like a "winning move" did not exist from the start for this poor fellow. Either your director fires you for speaking the truth or you possibly become accomplice in fraud. All you can do is cut your losses. If they go into that zoom meeting I hope they won't toe the company line. Getting fired, or losing the customer seems like the least worst option.
It's actually not clear to me if the director is also their boss. It's written as if they are but not spelled out anywhere I can see.
The least losing move was probably to indicate that the “more political” statement provided by the boss seemed to be false, and ask for supporting information and/or to work together to find a defensibly true statement that was suitably politically acceptable.
Now, if the boss is committed to outright fraud, this is still going to be a problem, but it lets you separate out that case and puts you in the best armed position if you need to go above or around them in the org on the issue, and does as much as you can to avoid the firm committing fraud and to avoid yourself being an active participant if that happens.
> if you need to go above or around them in the org
In this case, the whole company has around 10 employees, so I assume there isn't much in the way of management. I understood "director" to be the big boss, maybe sharing his position with one other.
Or not lie and possibly not get fired? Surely better than lie and having the sword of Damocles hanging over his head for a long time, either because of part-taking in fraud or (indirect) blackmailing from the boss expecting more lies or other dishonest actions as a consequence.
Could be a winning move, but it's also common for whistleblowers to end up under some bus at some point. Turning against your director (and colleagues, etc.) will most certainly cost you your job. A lawsuit for disclosing secrets is also likely.
Cover your ass with clear paper trail. And even then, I would prefer losing the deal getting fired. Whistleblowing is really the last resort nuclear option, IMO.
He probably was screwed either way in terms of his future at the company, but he should refused producing the document with these corrections. There was a tiny chance that maybe his resistance would make employer reconsider that.
Anyway if the company requires him to produce it, it means his purpose was to be thrown under the bus if the fraud would come up. In fact it sounds like the zoom call scheduled might be exactly that (director claiming he had no idea).
It is be best to have evidence stored in a safe place (or if control of the employer) if something bigger comes out of it.
At this point the client has a document with clear lies signed by that engineer, and the employer won't cover for him, so it doesn't look great.
And this is why the tech industry management is so hated. The OP gave an ethical example but it happened to me in a different way.
I was being pushed to release a small feature during the holiday season. While we were on track to release it, the CTO announced that we should not release anything during the holidays so that customers can take a breather and that our company is not responsible for their failures. So, we waited to roll it out until after the holiday since the CTO himself asked us to exercise caution.
Come review time, my manager berates me for not releasing fast and for "constantly missing deadlines". I asked why the CTO is asking us to exercise caution and why he is asking us to push. I asked what would happen if there were to be an outage during the holidays.
This infuriated the manager and he had it for me for a long time. And he was only furious because I caught his BS. The only reason he wanted me to go faster was to make himself look good. But if something were to fail and if the CTO checked, I was to be the fall guy.
Aside from the "all managers are not like this" trope, can anyone tell me why engineers should trust such managers when they play such games with us?
ignoring the legal implications. if you have a choice do you really want to spend you life lying for other people so they can pretend to be successful? you could actually do something with yourself instead.
If a secretary had combined the answers from different people into a single document and gave it to the boss, would they also be guilty of fraud if they didn't believe all the answers?
OP didn't write the incorrect answer, OP didn't attach their name to it (as far as I know), and OP didn't send it to the client.
ehhhh. Lots of hyper-conservative responses there (which is understandable, it's asking for legal advice). But assuming this is part of an RFP response, "embellishment" of answers is par for the course, and I understand the frustration of the director.
First, there's always a good chance nobody on the client side actually cares about this. RFPs tend to come with hundreds of questions, most of which are put in as requirements by completely detached departments to make them feel important, but don't actually matter. If something is important, it can be negotiated. For example, if the pen test is important, you can get the client to agree to sign the contract with a clause that says if they don't get pen tests results by X date the contract is void.
Second, well, what is a pen test, really? If you ever called one of your APIs to validate that your authorization or authentication code works, or you've validated that your AWS security groups are blocking external traffic to your database, congrats, you've performed a "pen test"! The client won't consider that sufficient, of course, but it's a justification for an answer on an RFP, at least. If they want more details, as they do in this case, they can always schedule a follow-up call or ask to see the pen test results document.
This situation reads like an engineer who needs a bit of business/sales experience more than anything. In their discussion with the client, you can start with "we've currently only done in-house penetration testing, but are looking to contract an external vendor to do penetration testing by X date." Assuming you've done any testing, this is a true statement, and the client can determine if that's sufficient.
The real solution to this is to get SOC2/ISO27001 certification, though, which makes a lot of these RFP headaches go away.
Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.
It doesn't matter if the client doesn't really care. That's just a rationalization, plain and simple. No different in kind from, "well the bank teller doesn't really care if I rob the bank because it's not their money, and the money is insured anyway, so is it really even robbery?" Only different in degree (to be fair, an enormous degree; just to illustrate).
A pen test is a real thing. "What is a pen test really?" is another rationalization. There may be many flavors of pen test, but fabrications are fabrications. One of the most important part of pen tests is that they are external. It's like saying, "what is an audit really? We have accountants and they check our books for anomalies." Just doing your job as an engineer and looking for bugs is not a pen test. In the same way that being careful and rereading your own changes is not a code review.
This reads up me like an engineer committed to their work. I think they should be proud of themselves for not going along with this. I think the problem is that management isn't doing their job properly. They're cutting corners because they fucked up and didn't make sure a pen test happened or listen to their technical people. This is a strategic necessity for the company that would have been so easy to accomplish and should have been foreseen. They're trying to rule by dictate and it could destroy their career if this ends up in court. Even now, they could get some kind of rush job done - but no, they choose to endanger the company and the people in it instead.
Imagine being a lawyer or a paralegal and getting your hands on those emails in discovery. They didn't only demand their engineer lie, they did it in writing. The engineer is not the problem here.
> Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.
I agree, but if the RFP question was phrased "have you done penetration testing?" then that leaves a lot of room for embellishment. If the question is "do you have SOC2 certification?" and you answer "yes" untruthfully, then that is a lie. If they ask for the SOC2 or pentest report and you give them a falsified document, that's where you're (probably) committing fraud.
> One of the most important part of pen tests is that they are external.
AWS/Google/etc have internal security teams doing their pen tests, so no, this isn't true.
> Just doing your job as an engineer and looking for bugs is not a pen test.
What about an engineer spending an afternoon running ZAP[0]?
> It's like saying, "what is an audit really? We have accountants and they check our books for anomalies."
Yeah, which is why you don't just ask a company "do you keep track of your finances?" if you're investing in them, you request external auditors.
I have literally worked alongside external pentesters for some of those organizations you allude to. I still remember their codenames.
They might have the scale to have internal pentesters nearly as isolated as external pentesters. A ten person startup definitely does not.
Regardless of what tools you use, an internal pen test isn't the same. Do internal accountants use different tools than KPMG? Probably not.
The RFP likely did contain more precise language.
I encourage you to reflect on your position. It's very odd to me that your attitude is, "if the customer didn't want to be lied to, they should've tied me down better, because I'm like a djinni who will twist your words against you if there's the slightest ambiguity." I understand the sentiment that RFPs and contracts need to be locked down. I don't understand the sentiment of, "they had it coming."
> Regardless of what tools you use, an internal pen test isn't the same
It isn’t the same as an “official” pen test for a 10 person company with non-specialists, sure. But the document, to our knowledge, didn’t ask if they had some specific form of pen test.
> because I'm like a djinni who will twist your words against you if there's the slightest ambiguity.
They aren’t twisting anything. If a quick and informal pen test meets their definition then they should be more specific.
> Just doing your job as an engineer and looking for bugs is not a pen test
A pen test’s goal is to find security bugs by posing as an attacker. There is no requirement that it is systemic, formally documented, performed by a “security expert,” or that it is done by any external party.
Those are all desirable _properties_ of a pen test that may be required for various certifications, but an engineer can absolutely conduct a quick and informal pen test at any time.
>>This situation reads like an engineer who needs a bit of business/sales experience more than anything.
Your post reads like a salesperson hand-waving away actual situations of consequences in favour of a quick buck. There is literally no embellishment in this scenario, it's outright lying. He didn't say "well we tested security in some things but it wasn't up to a great stabdard", he said "we didn't do any pen testing" and when asked he said the opposite.
lol there's no ambiguity here. I love it when otherwise "street-wise" salespeople get challenged with very obvious scenarios they all of a sudden become postmodern philosophers.
"I mean, what does it even mean to COMMIT fraud? I mean, did I really "commit" to it if I did it once but gave it up after? Hmmm? Ever ask yourself these deep kinds of questions?"
Give me a break. Some sales people are so deep into a near-sociopathic lifestyle of "sales" that they are just pathological liars in the most literal sense. They don't even see themselves weaving deception.
> he said "we didn't do any pen testing" and when asked he said the opposite
I conjecture they _did_ do something that could reasonably be called pen testing and didn’t realize it.
GP even gives some examples: testing authentication code, checking security group configurations, and testing API calls all counts as rudimentary pen testing.
My point is that while they don’t believe they did a pen test, it’s very possible that their standard correctness testing of security related features was sufficient to meet a broad definition of the term.
I don't actually like this answer but there's likely some truth to it.
I am reminded that when I bought a house in my twenties, at the scheduled closing there was some detail that was incorrect. There was a line in the document where we had to say something like "Yes, x paper is in hand." In reality, I think we were still waiting for it.
And when I was like "But this isn't true. Shouldn't we wait until we have this?" the banker said "That's your call."
So it was lie about it because the paperwork wasn't going to go through if it said anything other than "Why, yes, we absolutely have that!" or delay closing on the house, which could mean losing it. So I signed.
And it never came up again. No one ever called and said "But what about blah?"
If you are knowledgeable about the bureaucratic process, you may know which check boxes must be checked off, true or not, to file it and in most cases don't actually matter. If you aren't knowledgeable, you are seriously gambling.
So in reality, this kind of thing does go on, like it or not. And if you are too pedantic, you can't get things done. Things will grind to a halt while you dot every I and cross every T.
There’s a difference between you knowingly waiving a requirement that is to your benefit (receiving the necessary disclosure document before closing) to further a goal to your benefit and you making a statement on a form to the detriment of someone else.
In your analogy it would be as if the seller ticket the box saying that they’ve disclosed all deficiencies to you despite not having done so, to not jeopardize your willingness to close.
I don't recall what the document was but in real estate, a defect can also negatively impact neighbors or future owners. If the defect was the responsibility of the previous owner and not having the disclosure at the time of the closing means you no longer have legal standing to pursue remedy and you don't get around to fixing it, it may get grandfathered in and now it's potentially a permanent situation.
I think TFA is a case where the OP messed up. He shouldn't have lied to appease his boss and it seems he wasn't clear about that at the time.
He didn't seem to feel he was lying. He told his boss X then did as he was told. And I think this sort of mental disconnect is common and, among other things, leads to problematic choices for how to relate online.
In his mind, while filling out the papers, what he said was part of this larger conversation and his boss knew what he really believed to be true. The problem is that putting it in writing means other people can read it and they aren't part of this larger conversation.
I was clear that signing the papers could come back to bite me but based on the banker's remark inferred he wasn't concerned and he felt rescheduling was a bigger problem. Odds are good the item showed up soon after and was added to the file and said the "right" thing, so didn't create problems.
I still think what I said elsewhere: OP should probably be planning his exit. But I do also understand why some people have sympathy for his boss and feel like playing devil's advocate here.
If a client tells you what they need, you don't get to decide what the client needs.
The sort of "business/sales" you're referring to may work well for someone not interested in building long-term relationships for repeat customers, but you're describing the exact type of fratboy used car salesman that I avoid doing business with whenever possible.
If the engineer has a problem now, they'll have a complete mental breakdown during a standard SOC/ISO certification.
However, the director also does not seem politic enough to maintain plausible deniability, if they're saying "what the fuck, just sign your name uncritically on this statement" vs guiding them towards a long, detailed, qualified, technically-truthful answer. ("We did these things on these dates" and leave it up to client to evaluate whether its sufficient/is really pen testing) Which the client would require anyway if the process moves forward. The entire situation just seems like a shitshow.
I get what your saying, but boy do I not want to live in society created by this worldview. In my opinion, this approach is antisocial. It forces everyone to write massive contracts and build bureaucratic mega processes to validate and specify every single definition in that contract because you can't ever trust your counterparty to abide by the spirit of your request.
This comment really nicely captures how I feel about this. There's something to be said about good faith and knowing what the spirit of the agreement is.
There are some comments here saying stuff like "these compliance forms are ridiculous and are often just bureaucratic nonsense" and you see comments advocating for playing dumb and answering in bad faith and there you go.
I see there being a bit of an attitude of "everyone is doing it" to justify also doing it just to compete because you're at a disadvantage if you don't. And that's not entirely wrong but it sucks and I personally will avoid competing in that way. Probably that means not much sales in my career. Or science, but that's another topic...
I worry that this is how we all end up doing meaningless administrative work, while we outsource all the useful "actual" work to poorer nations, where all of our administrative specifications can be overlooked or ignored.
To each their own, I don't want to be the victim of identify theft because sales pushed engineering into releasing shit code with a simple buffer overflow that noone ever tested for.
Why does my worry about bureaucracy have to mean I want to be the victim of identity theft? I understand and agree with the value of good security practices. I just worry that assuming all software is insecure unless some very complicated and "iron clad" contracts exists and are independently validated. It's a recipe for a very inefficient society.
I actually worry that this mindset of adversarial relationships make it MORE likely for your identity to be stolen.
I don't think there is too much software a government agency will buy that I wouldn't like to see pen tested. By it's nature government is often dealing with sensitive data.
I'm not sure why having standards that should be met around software testing would make my data less secure. Weve seen leak after leak and so frequently it's some basic issue caused by massive incompetence, or more often, by decision makers cutting corners to make a quick profit.
Absolutely nothing you said in this post is true or valuable, other than your final sentence. You appear to be far too comfortable with lying to clients.
Remember that the goal of most security/procurement questionnaires isn’t _security_ … it’s _conpliance_
Compliance is not security.
For buyers, they often just need to check a box so that they can maintain their own compliance obligations. They probably don’t care all that much about your security if you can check all the boxes.
Pen tests are a joke. You can get perfectly acceptable pen tests (from compliance perspective) done for $2k in less than a week and the testers will try to find a couple things but their goal isn’t to evaluate your app’s security. Their goal is to make you happy with the report you’re paying for (and you won’t be happy if it has a list of 100 security bugs)
Note: I don’t like that this is how compliance works. I wish compliance were more closely tied to security. But that’s simply not reality.
Sure it's about compliance. In the event of a problem followed by a lawsuit, how comfortable would you feel explaining to a judge that you falsified the compliance forms? If the answer isn't 'completely comfortable", you probably shouldn't go around falsifying compliance forms.
If all they said was effectively “we did some pen testing at launch” without any claim of meeting any standard or going into much detail then even the most rudimentary test/validation of the correctness of any vaguely security related code could be charitably considered to be a pen test.
In some situations, maybe. In this case, given the director swore at OP, I strongly suspect foul play.
Were we talking some light fudging, the director would have spent time explaining what the customer is asking for and worked with them to determine whether what they do supports a statement of “we do security testing.”
And if they can’t support the claim? Well, the director’s response will tell you if they’re an honest broker or not.
Honestly none of that is a pen test under almost anybodys understanding of the word.
If the request wasn't specific, you may be able to get away with arguing that way in a court, who knows.
When you tell the director it is not true, author a document that says otherwise, and then document the whole thing on the internet, by that point it is a lie not embilishment, and I'd be worried about fraud myself.
The entity conducting the pen test -- i.e. a third party with no interest in shipping the product -- is what makes it a pen test. Otherwise it's just QA.
The boss doesn't have technical expertise and will not defer to the judgment of the person who does, lacks ethics and is not going to stop their crap. It will only stop if someone else stops them, probably via tossing them in jail at some point.
Counterpoint, OP is overthinking pen test = certification. He definitely needs to talk to his boss about it, but it could be a simple matter of discussion about what pen tests were performed. If a more recent and/or external one is required, simply tell them that you will work towards that. OPs goal should be to get clarity of what the client expects as a pen test.
The reality is none of us knows the whole story. We are getting one side of it. It's entirely possible the problem is with the guy asking the question and always has been.
Assuming good faith, honesty and a reasonable degree of accuracy on the part of the OP, looks to me like he should probably plan his exit. Not necessarily drop his resignation today, but start making plans.
It's absolutely true that if he ups his game, he may find things improve and he can work with this person effectively. Or he may not.
It's worth mentioning that there is a legal definition of fraud[1]. Fraud must be proved by showing that the defendant's actions involved (5) separate elements:
1. A false statement of a material fact is made
2. Knowledge on the part of the defendant that the statement is untrue
3. Intent on the part of the defendant to deceive the alleged victim
4. Justifiable reliance by the alleged victim on the statement
5. Injury to the alleged victim as a result
So if the local government is hacked because they thought the software provided was pen tested and it actually wasn't, congratulations, you've hit fraud bingo.
For “injury,” I believe the payment to the party telling the lie is sufficient. You’re purchasing a service under false pretences, which is a harm in and of itself.
If you present a document you know to be untrue, that’s the same as lying.
OP, get a pen test scheduled and tell the client, “You know, we’ve had a lot of changes since we rolled out. Since you asked, we felt it was best to get a current pen test to reflect our present state.”
No lies (just a slight deception with the truth) and you get a legit pen test your client can rely on.
That sounds like a very reasonable course of action. However... given the circumstances the author is in, I don't think his director is the type to schedule a pen test and then wait for all the violations to be resolved in order to get the contract. (I assume the client, as a government entity, is legally required to obtain a minimum number of bids for contracts and make a decision in a timely manner.)
Lying and fraud aren't the same, which is the author's concern. Lying incurs a social cost. Fraud incurs both social and legal costs.
I don't... think so? He clearly intended to create a deceptive document, and wrote separately that it was false (don't delete this, wink wink, nudge nudge). The director didn't hold a gun to his head.
A determination to perform a particular act or to act in a particular manner for a specific reason; an aim or design; a resolution to use a certain means to reach an end.
It doesn't matter if the OP wanted to deceive the client or was pressured to do it, they still intended to do it. Again, IANAL, but people are held liable for their illegal actions all the time, even if they were pressured. Also, think about the kind of pressure this manager is applying relative to the (potentially) fraudulent thing they're asking the OP to do. If the manager was holding their family hostage, by all means, lie about the pen test. I know it's easy to advise the OP to "just quit", but not everyone has the luxury of doing that for personal or financial reasons. That being said, I'd rather be out of work and struggling instead of on the hook for fraud.
> At that point, I was confident in my personal ethical position.
Eh, what? OP knew what sales was going to do with that email. Having sales wordsmith an answer is fine, but if you think it's factually inaccurate, don't send it back to them filled out in the form.
If your employer asks you to do something and there is no moral imperative to to what is being asked, even if you do not think it is wise to do it, just do it.
If your employer asks you to do something that has some moral imperative, you need to ask yourself if doing this makes your moral standards, are you willing to compromise your moral standards or will you stand upright and be the man and face the consequences from your employer.
Either way, you will face consequences and if you fail your own moral standards you have to live with that.
Kinda wonky responses. If your boss asks you to provide them with a document that says ‘this’ and you send that back to them, how does that constitute fraud? The fraud is the one that then forwards that factually incorrect information to the client.
People go on about having a document that you signed and attested as correct, but as far as I can see nothing like that was indicated by OP.
You become party to the fraud when you take that call and make false claims. So don’t do that.
Sure, but there’s no functional difference between being coerced into writing a specific thing in a document, and having the coercing person write it themselves.
You can refuse, but the only person hurt in such a situation is yourself.
You can't commit a crime just because your boss told you to. If your boss asks you to break in to a building and steal something you will still be in trouble for doing it, even if you have a paper trail showing your objection. Same should apply if you knowingly provide fraudulent information to a government agency.
You might get a lesser sentence if you can prove that you were pressured into it by your employer but you're still ultimately liable for your actions.
In this situation you need to put your foot down and say you can't commit fraud on behalf of the company. You could offer to either hire a pen tester, or conduct a half assed pen test yourself and report on the paper that you did an "internal" pen test, or something like that. But you should not have filled out a document with known false info. What did you think would happen once you did? That they would just throw it in the trash?
Given that the consequences are already happening, you should make it clear that you aren't going to continue to lie and schedule a pen test ASAP.
You could probably still fudge out of this depending on what exactly was replied.
You could elaborate that the initial pen test was one of those self trigger ones and not an external or "professional" type. Hence you do not have any documents regarding it anymore. Although not ethical the company would see this as not a acceptable metric and dismiss it when evaluating. Your written statement although a lie would not be considered fraud if it didn't get considered in evaluation. I am saying basically make your written statement worthless.
Eitherway you need to make it absolutely clear to the CEO that is as far as you will go an he may as well hire an actor to represent engineering if he wants you to lie as the actor would know as much as you about a fictional pen test.
It can be really hard to flat out refuse on ethical grounds to do something your boss tells you to do. I’ve only done it once, and I knew it meant my time at that job was coming to an end. I was gone a few months later and in a better position.
I don’t think this is hard at all, especially in the tech industry when you can easily find a different (likely better) job. I’ve flat out refused things on ethics grounds multiple times in my career (startup life is like that), and while it resulted in me leaving the company twice, once I got promoted, and most of the time I experienced no repercussions personally at all and the person being unethical was dealt with.
Ethics is a personal choice and if you have strong ethics, refusing to commit fraud is effectively a no-brainer. There’s no difficulty to this decision. Your “boss” at work isn’t actually in charge of your actions, you get to choose how you want to live your life on your own terms. Most managers are incompetent and sleazeballs abound in business. There is effectively no leverage these assholes have over you except continued employment working for asshole liars.
A job is a job. Ethics are about who you are as an individual. It’s a policy for your life and defines your character. I’d scrub toilets before I would defraud a customer.
It’s a trivially easy choice for anyone with good ethics, full stop. Your contrived straw man has no relevance to the person in the OP, and they have none of those qualms. You’re doing a lot of mental contortions to defend committing fraud.
It's much easier to get legal representation and compensation if you are fired. That's because, assuming the paper trail is there, the damages are also there. Being pressured into resigning is harder to prove damages-wise. "Pressuring" is subjective.
Once, early on? Yes. Paperwork said laid off, but conversations around the time about how precarious the point in my career that I was at painted a different picture.
Not going into gorey details. Suffice to say, I will not lie. I will not engage in the calling of a spade anything other than what it is either. Results and actions speak louder than words, and with mine I truly seek to never through my actions to make the world worse.
Still find jobs. Still build things. Still help worthwhile projects get pff the ground. Gotten pretty good at it too. Still not afraid to walk out the door the minute things begin smelling of fish.
I was working at a Big Startup, on ML side of things. All the senior engineers in my team left and me and a few others became the senior-most engineers (with <1 YOE). The models we built were contributing 100M$+ to the top line of the business.
My then manager tasked to do some data analysis to determine whether building a "new nonsensical ML Model" was the right way forward. I like a diligent bee crunched the data and came to the conclusion that "we shouldn't build the new model".
I showed the results to my manager who laughed and told me to do it again. It's also important to note here that my team lead and old manager had left the company. This person was completely new and a senior manager.
I in my naive mind (and oblivious to politics) thought he's telling me to say that the results "do make sense". and that's what I said. We even presented the results to product people who gave us go ahead. Since we were doing such pivotal work, even the company's CTO was involved and tracking our progress.
The next few months were one of the most painful times of my life. Immediately after the meeting, we were tasked to actually build those models. I knew that they wouldn't bring any results, everyone else in my team knew, even PMs knew. Everyone except the manager.
I led a few interns and we built the damn models and got the expected result which is 0% improvement.
What happened next taught me a lot about life. Their was a meeting (which I wasn't a part of) where everyone senior who had their ass on this project came together. They invented a "new metric of success" and asked us to train ML models optimizing for that. We trained the models and obviously since the optimization target changed, we saw improvement.
Then we created charts according to that metric which were obviously good. the PMs showed slides to Upper management. and all was well again.
The best part of the new metric was that the actual results will only be visible years down the line. So we called it a success regardless. I switched my job soon after that.
I learnt from this experience to just say "NO" firmly on doing things I'm not comfortable with. and always keeping a text trail. The manager was kind of an oddball so I never fully got whether he actually knew this from the start or was just plain incompetant.
I don't find this all that similar to the situation in the StackExchange post, tbh.
Yours is a situation where people in control of the goal posts changed said posts to avoid looking incompetent; OP situation is some kind of Trumpy boss directing an employee to outright lie to the government so the company can obtain a contract .
I'm not sure what you expected to happen, but you should be archiving all your correspondence with your director in personal storage and start looking for another job.
Whether this is fraud depends on your jurisdiction, but the fact that you're even asking the question probably means there are some uncomfortable conversations in your future.
I'd say do one of two things:
1. Attend the Zoom and bring the original copy of the document you produced. Explain that you had nothing to do with any alterations, and that there has never been pen-testing of any kind. Then let them fire you. Again, save every piece of correspondence in storage that is under your control -- personal cloud, printed copies in your basement, whatever.
2. Resign effective immediately and cite that you were asked to make false statements to a client. Then file for unemployment and dare them to contest it.
The conduct to this point was wrong. At best we're talking about an undocumented, out-of-date pentest that the writer doubts occurred-- and whatever occurred would not be recognized as a pentest under current industry standards. Sounds like an interesting conversation with the client, director, and possibly whoever runs the company. If the company adds to that performing an actual industry-standard pentest-- which it passes easily-- perhaps its reputation does not receive the hit it deserves. If the software doesn't pass, might be simpler to withdraw the submission than proceed with the meeting.
OOP should brush up their resume and ask the director per email what exactly he expects OOP to say and show during the zoom call because to their knowledge no pentest has occurred and as such no documents are available.
Then forward all correspondence to his private email, or, if this is blocked (doubtful either way such a small organization) take photos of the correspondence, and await the inevitable outcome.
The people here in the comments that are cosplaying as Socrates with questions like “What really is a pentest” and “Who knows what the client really want” will face the “find out” part of their nonsense soon enough.
Let them fire you. They’ll have a hard time firing you for cause. Do you really want to work at a place where the people in charge are either felony stupid, felony corrupt, or both.
The general answer is that we can all be held personally liable for our own torts. For example, if a delivery company driver runs into a pedestrian, the pedestrian can definitely sue the driver. Usually, however, they will want to sue the company instead, because the company has more money.
The same logic applies here. The customer can sue the employee who falsified the records, but they’re more likely to want to sue the company.
Before continuing to the main topic, as soon as I read “Decisions are taken by the (non-technical) directors” I would suggest you look somewhere for another job unless that person has outstanding leadership experience (clearly not), this dynamics (non-tech is dictating on tech) will be the most infuriating and frustrating experience you will have to put up with, I have been in that position before, in fact, I have seen small companies turning into chaos after replacing the tech-manager with non-tech one (usually sales or business), as those usually lack the technical background, and to stay ahead of the technical folks, they pull all political shenanigans and psychological manipulations.
Now to your topic, you are to be blamed:
- Never ever claim something is done when it wasn’t, especially in cybersecurity, this will always fire back and I have seen it firsthand, you will be liable when the first breach happens since you gave the green light from a technical perspective.
- You are supposed to protest the company's position yet they threw you in front of the bus at the first corner (when the client asked for evidence)? What do you think it will be when legalities hit later?
- You are being used, and sorry to burst your bubble, bullied too, it is clearly what type of work environment when you get a WRITTEN email with a slur, not even verbal.
- From my experience too, going to higher management will not do anything (like a CEO) in small companies, as usually they are all the same, in fact, the CEO will be using the director as a shield to take the shit later, and the director is using you as a shield, you get the idea.
The course of action if I were you:
- Meet with the client and be transparent, say you never said that, no pentesting is ever done, and be clear the director said it. I would even go the extra mile and record that call, just ask for consent first.
- Give your resignation right after the meeting, and be clear about the reasons why, you will thank yourself later.
- Edit: I would also make a CYA (cover your arse) folder, I usually do that in similar situations, document everything.
You can of course take legal advice, but since nothing is actually done (assumed in the negotiation phase) and unless there’s hard evidence (like those emails you mentioned are clearly asking to falsify it), I don’t think it will be worth it, but I’m not a lawyer.
1/ Normally lying in bids can get your company barred from competing in bids for several years, if these are financed by something like the World Bank, the disqualification can be extended to other geographies.
if we define 'software engineer' as someone whose job it is to make working software systems, then clearly anything less than the truth is counterproductive.
if you take a more modern view that the 'software engineer' is mostly about marketing and sales, even inside your company, then sure. its all spin and half truth. but that doesn't have anything to do with.. you know, building stuff
Edit 2: after seeing the replies, my revised advise is to schedule a cheap pen test (can be done in less than a week for less than $2k) and tell the client “Our next pen test is scheduled for next week”. Doesn’t need to be harder than that. Pen tests for satisfying compliance requirements are easy, cheap, and quick.
-
My advice: get on the zoom call and when asked about the pen test, repeat something like “we have a security policy in place that obligates us to do a penetration testing at least annually”
(Assuming you have such a policy. If you don’t, then you and your company is out of your league selling to governments)
Assuming you have a basic set of security policies (almost all of which will say you’ll do pen tests annually), just repeat the line like “we have a security policy in place that obligates us to do a penetration testing at least annually”
And if you’re asked again more specifically whether you’ve done one in the past year, don’t answer directly and repeat the quote again.
The key here is do say the maximum amount of (positive for your company) truthful information and deflect or redirect away from questions where the truth would hurt the sale. Engineers often have trouble with this because it’s most engineers have a tendency to want to answer questions directly and literally.
And, make sure the sales rep is in the call. If the client backs you in a corner and you don’t know how to redirect or deflect, then you hand the baton to the sales guy.
Edit: Or, just do a freaking pen test. You can get one done in less than 2 weeks for less than $2k.
I would go with, "I was not involved with pen testing, but <director> has assured me that it was done."
But really the right thing to do is to have a conversation with the director where you tell him that you want to support the company as well as possible, but saying that a pen test happened is not something you can do. You want the director to feel that you are reasonable and supportive, but realize that they have to find someone else to claim that the pen test occurred.
Why be misleading? The directors are clearly wanting him to be a scapegoat. Just get on the zoom call and say you've never done pen testing, and your director lied to them. Also look for another job, this one has a short lifespan remaining one way or another
You can 100% tell the truth and be misleading. And why should this person put in that effort? The directors will throw them under the bus in an instant, and in fact are probably planning on it.
My advice is to answer the questions politically instead of literally.
Compliance people (on the other end of the line) actually like this in many cases… literal answers can make their jobs harder than politically worded (but not untruthful) answers.
If you're an honest person, assume that your job under that director (and probably at the company entirely) was over as soon as they asked you to make a fraudulent engineering statement. Even if they backpedaled when you resisted, you're not a team player with them, and you're a threat to someone very dishonest.
At that point, options:
* just leave;
* consult a labor attorney (you can get a free initial consultation); or
* go above the director's head, probably (in a small company) to the owner/CEO, whatever attorney is on staff or they retain, or HR (though, you're still probably over at the company, even though they'll diplomatically pretend that you're not, because you are in 100% corporate butt-covering territory now, in a place that puts someone very dishonest as a director).