Question of Ethics
-
If I have been contracted just to code something that the client already has designed, am I ethically obligated to inform the client about huge, gaping security holes in his design? Of course, I do plan to tell the client in the hopes that it will get me more business, but my question is if it's my personal choice, or an ethical obligation?
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Ethically I think you should. It can only make you look good in the client's eyes - so overall you win double :-)
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
My latest book : C++/CLI in Action / Amazon.com link -
What kind of security problems? Payments? Medical information? It really comes down to the contract, but if someone can prove you know it's a gaping security (say you brought it up to another client), you do nothing, and design it to the company's specs there is a chance they could sue. I say bring it up IN WRITING, have them sign off on it to either agree/disagree with your changes and then you are covered.
______________________ stuff + cats = awesome
Very good advice. Thank you, I didn't think of the possibility for a legal suit. :omg:
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
Ethically I think you should. It can only make you look good in the client's eyes - so overall you win double :-)
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
My latest book : C++/CLI in Action / Amazon.com linkI do agree with you here.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
Ethically I think you should. It can only make you look good in the client's eyes - so overall you win double :-)
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
My latest book : C++/CLI in Action / Amazon.com linkNishant Sivakumar wrote:
It can only make you look good in the client's eyes
Not always. While he is ethically required to voice his concerns, some people don't take criticism all that well :rolleyes:
I enjoy occasionally wandering around randomly, and often find that when I do so, I get to where I wanted to be [^]. Awasu 2.3 [^]: A free RSS/Atom feed reader with support for Code Project. 50% discount on the paid editions for CP members!
-
Very good advice. Thank you, I didn't think of the possibility for a legal suit. :omg:
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Having run my own business before, I find it imperitive to have a lawyer you can consult on these matters. Sometimes a $350 fee can stop thousands and dollars in damage later. If you have not had a lawyer review the contract, I would still do so. If there is something agregious (spelling?) the lawyer can point it out if it needs to be fixed, you need to get out of the contract, etc. I also advise studying the state law of your own state. if you are dealing with people in another state (which even if the company you are working with is in your state, the headquarters may be in another). Basically anything you sign should cover your own ass. If the other party wrote the contract, it is written to cover their own ass. Lawyers may be seen as evil, but in the business world they are just plain necessary. [edit] I also have started to keep a journal of all conversations with sups, clients, etc. with the day, time, and core part of the conversation. That way if you are brought to court you can say, 'On June xx, 2007 I spoke with xxx about....) A full journal looks good to a judge as opposed to 'around June 19th...'[/edit]
______________________ stuff + cats = awesome
-
Nishant Sivakumar wrote:
It can only make you look good in the client's eyes
Not always. While he is ethically required to voice his concerns, some people don't take criticism all that well :rolleyes:
I enjoy occasionally wandering around randomly, and often find that when I do so, I get to where I wanted to be [^]. Awasu 2.3 [^]: A free RSS/Atom feed reader with support for Code Project. 50% discount on the paid editions for CP members!
-
That's why I advise get everything IN WRITING. That way the client can't come back and accuse the developer of something they claim they knew nothing about.
______________________ stuff + cats = awesome
leckey wrote:
That's why I advise get everything IN WRITING.
I completely agree with that. Years of contracting has taught me the importance of CYA but that's actually not what I was referring to. Some people get very upset to downright hostile if you point out mistakes in their work.
I enjoy occasionally wandering around randomly, and often find that when I do so, I get to where I wanted to be [^]. Awasu 2.3 [^]: A free RSS/Atom feed reader with support for Code Project. 50% discount on the paid editions for CP members!
-
Having run my own business before, I find it imperitive to have a lawyer you can consult on these matters. Sometimes a $350 fee can stop thousands and dollars in damage later. If you have not had a lawyer review the contract, I would still do so. If there is something agregious (spelling?) the lawyer can point it out if it needs to be fixed, you need to get out of the contract, etc. I also advise studying the state law of your own state. if you are dealing with people in another state (which even if the company you are working with is in your state, the headquarters may be in another). Basically anything you sign should cover your own ass. If the other party wrote the contract, it is written to cover their own ass. Lawyers may be seen as evil, but in the business world they are just plain necessary. [edit] I also have started to keep a journal of all conversations with sups, clients, etc. with the day, time, and core part of the conversation. That way if you are brought to court you can say, 'On June xx, 2007 I spoke with xxx about....) A full journal looks good to a judge as opposed to 'around June 19th...'[/edit]
______________________ stuff + cats = awesome
-
Having run my own business before, I find it imperitive to have a lawyer you can consult on these matters. Sometimes a $350 fee can stop thousands and dollars in damage later. If you have not had a lawyer review the contract, I would still do so. If there is something agregious (spelling?) the lawyer can point it out if it needs to be fixed, you need to get out of the contract, etc. I also advise studying the state law of your own state. if you are dealing with people in another state (which even if the company you are working with is in your state, the headquarters may be in another). Basically anything you sign should cover your own ass. If the other party wrote the contract, it is written to cover their own ass. Lawyers may be seen as evil, but in the business world they are just plain necessary. [edit] I also have started to keep a journal of all conversations with sups, clients, etc. with the day, time, and core part of the conversation. That way if you are brought to court you can say, 'On June xx, 2007 I spoke with xxx about....) A full journal looks good to a judge as opposed to 'around June 19th...'[/edit]
______________________ stuff + cats = awesome
Thanks again for valuable input. Fortunately, the code I am working on does not handle sensitive information such as credit card numbers or medical records. The security flaws I see would allow a malicious user to disrupt the operation of the system, and possibly cause loss of business operation, but it would not expose privileged information.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
If I have been contracted just to code something that the client already has designed, am I ethically obligated to inform the client about huge, gaping security holes in his design? Of course, I do plan to tell the client in the hopes that it will get me more business, but my question is if it's my personal choice, or an ethical obligation?
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Yes, for you to know good and not do it, that would be wrong..
Rocky <>< Latest Code Blog Post: Silverlight City Officially Launched! Latest Tech Blog Post: Microsoft Surface!
-
If I have been contracted just to code something that the client already has designed, am I ethically obligated to inform the client about huge, gaping security holes in his design? Of course, I do plan to tell the client in the hopes that it will get me more business, but my question is if it's my personal choice, or an ethical obligation?
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
Ethically I think you should. It can only make you look good in the client's eyes - so overall you win double :-)
Regards, Nish
Nish’s thoughts on MFC, C++/CLI and .NET (my blog)
My latest book : C++/CLI in Action / Amazon.com linkNishant Sivakumar wrote:
It can only make you look good in the client's eyes
Sadly, not true. People work on an emotional level, not just a logical level.
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
And with that, Paul closed his browser, sipped his herbal tea, fixed the flower in his hair, and smiled brightly at the multitude of cute, furry animals flocking around the grassy hillside where he sat coding Ruby on his Mac...
-
What kind of security problems? Payments? Medical information? It really comes down to the contract, but if someone can prove you know it's a gaping security (say you brought it up to another client), you do nothing, and design it to the company's specs there is a chance they could sue. I say bring it up IN WRITING, have them sign off on it to either agree/disagree with your changes and then you are covered.
______________________ stuff + cats = awesome
-
If I have been contracted just to code something that the client already has designed, am I ethically obligated to inform the client about huge, gaping security holes in his design? Of course, I do plan to tell the client in the hopes that it will get me more business, but my question is if it's my personal choice, or an ethical obligation?
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Although many speak of Ethics, they really don't exist in business. I mean, how ethical would be for a company to sue you for security holes when their specs don't leave you with any other choice? As many have said, the legal side is more important than the actual work. Inserting a clause in the contract (and please try to keep it simple) that you're not hired as a security expert / consultant and that the security level of whatever you will be developing, inevidebly inherits and conforms to the security of the entire system. Hence that's NOT you responsibility. Also BEFORE going into the technical details DEFINE your job (application / security / technical / extensibility, ... etc) relating to the client. That will give you a nice little framebox of what to look out "talk about / inform" when you start digging inside the 0101. Your "Ethic responsibility" stops outside that framebox. If you're hired to extend the functionality of an application, then any security issues are NOT your responsibility, since they choose NOT to pay you for such service. I know it sounds a bit cruel but keeping your mouth shut or playing dum WILL save you a lot .... Personally, i avoid taking anything that has to do with security.
-
If I have been contracted just to code something that the client already has designed, am I ethically obligated to inform the client about huge, gaping security holes in his design? Of course, I do plan to tell the client in the hopes that it will get me more business, but my question is if it's my personal choice, or an ethical obligation?
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
Nishant Sivakumar wrote:
It can only make you look good in the client's eyes
Sadly, not true. People work on an emotional level, not just a logical level.
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
And with that, Paul closed his browser, sipped his herbal tea, fixed the flower in his hair, and smiled brightly at the multitude of cute, furry animals flocking around the grassy hillside where he sat coding Ruby on his Mac...
This is why it is important to develop people skills as well as technical ones. I would approach this as a question to the client. “Do you want me to review the design for potential security flaws? I have had some experience at uncovering those in the past.” I would do this via email and save the answer. That should cover the legal end of it. - it also helps to wear a tight shirt, but that only works for some of us - :<) :-D
2b||2b
-
If I have been contracted just to code something that the client already has designed, am I ethically obligated to inform the client about huge, gaping security holes in his design? Of course, I do plan to tell the client in the hopes that it will get me more business, but my question is if it's my personal choice, or an ethical obligation?
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
It not always IF you should tell them, but HOW you tell them. I owned a consulting company for many years and have worked as a consultant for close to 20 years. I have expereiences that run the full spectrum of responses. I have had clients very thankful for the advice and have continued to work with me for years. I have other clients that get very offended and shortly there after have terminated the contract. The bottom line you should warn them, but do it tactfully and there is no guarentee that they will be grcious... Lunasys
-
If I have been contracted just to code something that the client already has designed, am I ethically obligated to inform the client about huge, gaping security holes in his design? Of course, I do plan to tell the client in the hopes that it will get me more business, but my question is if it's my personal choice, or an ethical obligation?
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
As long as it was before deployment, I would wait until I earned the trust of management. There have been occasions where I joined an assignment after the design phase. I informed management long before deployment in writing of my security concerns. I was asked to call a meeting to describe my concerns. I used Camstudio to make a demonstration video on how the system could be circumvented. After the meeting, I also sent out a follow-up email that stated the findings of the meeting with the original message as an attachment. The email also reiterated the solutions to the problems. As long as you do this in the window between gaining full trust and sufficient time to make the changes, you will become a major player in future design changes.
-
Thanks again for valuable input. Fortunately, the code I am working on does not handle sensitive information such as credit card numbers or medical records. The security flaws I see would allow a malicious user to disrupt the operation of the system, and possibly cause loss of business operation, but it would not expose privileged information.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Everyone seems to be working from the premise of protection of their ASSets. While I do not disagree that you need to protect your own interests, you are their consultant and if you see a danger to them, you need to tell them that and let them make a decision regarding taking care of it or not. This protects you and informs them. If their company is compromised, they will know that you were right, but if you never told them, they will wonder why you didn’t tell them to begin with, and they will question your abilities as a consultant to them.
-
If I have been contracted just to code something that the client already has designed, am I ethically obligated to inform the client about huge, gaping security holes in his design? Of course, I do plan to tell the client in the hopes that it will get me more business, but my question is if it's my personal choice, or an ethical obligation?
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Just my opinion, but... You are being hired as a professional. With that comes the responsibility to inform your client of any potential problems with what you where hired to do. If the client doesn't agree with you. Then you should make note that they where informed. Document it. At this point it is no longer your responsibility.
