I work for a finance startup managing the technical stuff. All of my co-workers are non-technical except a couple, but definitely not developers. The COO decided to create a new web site on his own (using a contract developer) and the owner of the company paid for it ($ 9k). The owner and a few others want me to use the new site. I just saw the details of the new site and it’s very low quality – intern level quality – and insecure. I would have made something like this when I was an intern, except better indented.
How do I tell the boss/owner it’s not OK to use and unmaintainable, when the reasons are technical and he spent a lot of money on it? I don’t want to appear obstructionist. The COO is using phrases like “you are not doing your part”, “some strange personal issue and we can’t tolerate that”, “we are using it, the conversation is closed”.
- It doesn’t use source control or a framework.
- It doesn’t use MVC. The PHP source files are 30k – 98k in size. They embed HTML, CSS, PHP, JS into one file.
- It uses the session id as an email verification token, allowing anyone who eavesdrops the email to hijack the session.
- It doesn’t use salts in the passwords.
$ hashedPassword = hash('sha256', $ _POST['form_pswd']);
- It doesn’t escape user input in SQL queries.
WHERE u_password='".$ hashedPassword."' && u_username='".$ _POST["username"]."'");
- It doesn’t encrypt personal information or financial information.
- It doesn’t escape user input in HTML output.
<input placeholder='Name' type='text' name='form_name' value='".$ row["profile_name"]."'
- The database password is hardcoded in the source code.
$ mysqli = new mysqli("localhost", ...
- The CRUD design does not even have R-Read. There is no display of user info that is entered! I asked to make sure I wasn’t missing something. The demo used a sham wrapper of a static CMS page. This is interpreted as “poking holes in it”.
- It has 7 vulnerabilities according to a security scanning app, including XSS and clickjacking. I’ve shown the report.
I figure my options are
- State the facts and walk away.
- Try to explain why it’s bad. If success, continue with old site. If fail, walk away.
- Try to fix the code myself. I dread this as it’s very messy. It could take longer than expected.
- Make the old site look like the new site. The new site does have nice design elements I can copy. Even though no one may know the difference, this option seems a bit disingenuous.
I’m unwilling to work with the new site as is. I’m certain it’s only a matter of time before it’s hacked and I don’t want my name on it. The old site is Ruby on Rails. The new site is Joomla with custom directory of PHP code.
✓ Extra quality
ExtraProxies brings the best proxy quality for you with our private and reliable proxies
✓ Extra anonymity
Top level of anonymity and 100% safe proxies – this is what you get with every proxy package
✓ Extra speed
1,ooo mb/s proxy servers speed – we are way better than others – just enjoy our proxies!
USA proxy location
We offer premium quality USA private proxies – the most essential proxies you can ever want from USA
Our proxies have TOP level of anonymity + Elite quality, so you are always safe and secure with your proxies
Use your proxies as much as you want – we have no limits for data transfer and bandwidth, unlimited usage!
Superb fast proxy servers with 1,000 mb/s speed – sit back and enjoy your lightning fast private proxies!
99,9% servers uptime
Alive and working proxies all the time – we are taking care of our servers so you can use them without any problems
No usage restrictions
You have freedom to use your proxies with every software, browser or website you want without restrictions
Perfect for SEO
We are 100% friendly with all SEO tasks as well as internet marketing – feel the power with our proxies
Buy more proxies and get better price – we offer various proxy packages with great deals and discounts
We are working 24/7 to bring the best proxy experience for you – we are glad to help and assist you!