Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "risk assessment"
-
IT department created a risk assessment system and asked us to fill out the form.
I found that the form is vulnerable to XSS and possibly SQL injection so I told them and their response was:
"Oh, shit. Please don't tell anyone!"
Of course, it never get fixed :/6 -
Does anyone hear in their company about risk assessment towards American tech companies and their services?
It came to my ear that many European big companies are asking analysis\risk-assessment companies about the reliance on American services and commodities because of how the big American corporations reacted at the Huawei ban.
It's like if America did this to such big Chinese company, they have proven that they cannot be reliable in the long term because of political turmoil.9 -
Business Continuity / DR 101...
How could GitLab go down? A deleted directory? What!
A tired sysadmin should not be able to cause this much damage.
Did they have a TESTED dr plan? An untested plan is no plan. An untested plan does not count. An untested plan is an invitation to what occurred.
That the backups did not work does not cut it - sorry GitLab. Thorough testing is required before a disruptive event.
Did they do a thorough risk assessment?
We call this a 'lesson learned' in my BC/DR profession. Everyone please learn by it.
I hope GitLab is ok.2 -
Every meeting that contains one or more of the following points:
- "I don't think it belongs in the meeting, but"
- "Didn't get the meeting notes"
- "When's the food coming?"
- "I know we've said no technical discussion, but..."
- "Why is he so strict, this is no fun meeting at all :("
- "I think it's unfair to include risk assessment, you blame US before XY is finished"
- "The admins / the Team XY / ZX didn't talk with us, so we don't talk with him / her / them..."
- "Why are we here?"
- "Why is it so bad when production is down?"
- "I didn't know we do security / audit checks... Why hasn't anyone told us?"
- "Not happening. I'm against it"
- "I don't want to work with XY - he doesn't do it like I want it"
...
I could add thousand more things here.
I had countless meetings where I really thought that I was an alien who got broadcasted in a comedy reality TV soap...9 -
So the project I work on basically has to talk to a 3rd party plugin, through a 3rd party framework. The 3rd party plugin is a black box. This conversation happened:
Software guy: so we aren't sure what is breaking the thing. It's either us or the plugin, but it's probably both.
Systems guy: well then if we aren't sure then why are we writing an issue for it.
SWG: because we aren't sure but we know we are doing at least something that contributes. We read int X from a table and put it into a float. X doesn't perfectly represent in a float. It comes out X.0001. Then they take it and when it comes back it comes back as Y.0001. We cram it into an int so it becomes Y, we compare it to X which is really X.0001 and it comes back invalid.
SG: well as long as we are sending them the right number . . .
SWG: but we aren't sending them the right number. They are expecting X not X.0001. Then they send us back Y.0001 but it should be X so it's wrong.
SG: so they're giving us the wrong return value.
SWG: yes, but because we're giving them the wrong number.
SG: well not exactly . . .
SWG: yes exactly. It is off by .0001 because of floating point math.
SG: well . . .
Me: look it doesn't matter how it's breaking. But it IS broken. Which is why we're filling out the damn problem report. THEY ARE EDITABLE. We talked to the customer and gave them the risk assessment. They don't care. It happens rarely any way.
SG: then can we lower the severity?
Me: no. Severity doesn't relate to risk. That is a whole different process. Severity assumes it has already happened. It's a a high severity.
SG: but the metrics.
Me: WE GIVE THE METRICS TO THE CUSTOMER. WE TALKED TO THE CUSTOMER. THEY DON'T GIVE A SHIT.
And that was how I spent Wednesday wondering how a level 4 lead systems engineer got his job. How many push ups did he do? What kind of juice did he drink?2 -
Interested if anyone has done a risk assessment with the AWS outage (or other cloud hosts) in scope and contingency strategies in place and tested. A+ if you did 👍
No, going to the pub does not count as a viable strategy but probably a popular one.