At My Last Job They Used to Poke Us with Sharpened Sticks

18 May 2021

Recently I had the misfortune to witness a situation where legitimate questions were met with “well, at my last job they used to (thing that is worse than proposed thing)…” It’s a really weird argument to everyone except, apparently, the person saying it.

Some background: We are tightening up security around client data and that is, of course, good. The clients we work with in our multi-tenant application are different enough that sometimes the only way to reproduce a bug is to use client data. It used to be the policy to let developers work with client data but they had to log the request to get a special limited time login token. In that way, anyone who did something bad would be easy to discover. Clients didn’t like that at all. From their point of view every developer could see any information and being able to throw them in jail later was cold comfort. They want to protect the data from the developers.

How does one stop data from being seen by developers but still allow them to fix bugs and test new code against real world data? The new solution requires getting the approval of some high up people in the organization. They review the request, check to make sure it is linked to a related Jira ticket, doesn’t look ‘suspicious,’ and approve access. These important people are in meetings most of the time and are the same people that hire, fire, and determine bonuses. Harassing a V.P. for approval feels icky to all but the most confident. There’s other aspects of the security system that I can’t go into but also add complication and time to development and debugging.

A developer asked how we are planning to meet all of our increasingly large commitments with a slower process and no extra people. A sensible question. The answer was a variation on the title of this post. At person X’s last job they weren’t able to see any client data ever… These arguments always seem to end without a stated conclusion, but the implied conclusion isn’t great. It could be: Stop complaining because some have it worse? Or perhaps: This is happening so suck it up?

Either that other place developed easily available customer data anonymization/simulation tools or it was a terrible place to work. If the first, then shouldn’t we build a replacement tool (instead of using customer data) before enacting the security requirement? If the second… Are we really proposing to be more like a bad company?

Adding security without the proper tools to aid developers and testers comes with a speed/frustration cost. This is known but often effectively ignored as sales would revolt if feature commitment dates were moved back. Therefore there is no one to build the tools that would make the new policy efficient. Hiring more developers to build the tools would be great except that pitching spending more money to get the same work done is a generally rejected idea. Later when people ask why are we missing deadlines and people quitting… Well, memories of developer warnings are short and some upper level person will point out that ‘normal’ industry turnover is around 15% a year. Nobody in management will ever say it, and they might not even think it, but they are trying to achieve excellence with average pay, average turnover, and increasingly frustrating work conditions.