So we own your client database and everything important to you…
Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!”
SG dude: “Well more than likely, others have….we didn’t do anything fancy…”.
Web Developer: “Well nothing has ever happened so it’s just you guys!”
SG dude: “You have no logging”.
Web Developer: “We’ve never been hacked!”
What do you do? 
Scenario repeats every week - new developer, next website, next web app. See you then!
November 20th, 2008 at 3:14 am
1) Do not engage in a risk management discussion with a web developer. Those decisions are better left up the chain as high as possible where someone has to take personal responsibility for the action, or lack thereof.
2) The developer also has a good point, you’ve only proven that it’s “possible” something bad could happen. The more challenging aspect is measuring the “probability” of that something actually happening. Try articulating the level of sophistication required and cite publicized examples of when/where similar events have occured.
3) OMG!? No logs!? How do you know if the website is even alive!?
November 20th, 2008 at 9:30 am
Its not quantum theory to suggest information is worth money. Lots of money.
So imagine if banks, who hold physical money, took that same risk management approach to their safes that hold lots of cash.
Here goes;
“Just because you can break into my safe doesn’t mean other people will.”
Ah, yes, they will, numbnuts.
November 20th, 2008 at 9:39 am
I don’t understand, why would anyone even want to do that ? Its not like we are a target, how would someone even find us ?
November 20th, 2008 at 11:32 am
Whilst your scenario is scary. What’s an even scarier scenario is when the developer goes “Hey, I knew about that vulnerability but when I talked to my line manager about it, they decided that it was going to be too expensive to fix”
Risk pro: “How did they determine that? Was it through a risk assessment/management process?”
Dev: “Nah, in fact I’m not even sure they escalated it above their level, or talked to any of the other risk folk within the business!”
Risk pro: “D’oh”
November 20th, 2008 at 3:19 pm
Now security is a feature that costs more. Are you expecting it to be there as default? You silly security people.
November 20th, 2008 at 3:38 pm
No that is what is called good project and requirements management. Been there done that , does not have to be hard if you know the buttons to push. Exponentially costs less to develop well from the onset than have the F*** up fairy visit.
November 21st, 2008 at 4:39 pm
I’ve been pretty busy in the last few years. Booked solid now for the next 20 years. You infosec dudes affect business for a while and then some developer invents some new technology and it’s boom times again. Web 2.0 has been good for business…it never ends.