The big mistake here was editing an engineering statement to say something false.
If you're an honest person, assume that your job under that director (and probably at the company entirely) was over as soon as they asked you to make a fraudulent engineering statement. Even if they backpedaled when you resisted, you're not a team player with them, and you're a threat to someone very dishonest.
At that point, options:
* just leave;
* consult a labor attorney (you can get a free initial consultation); or
* go above the director's head, probably (in a small company) to the owner/CEO, whatever attorney is on staff or they retain, or HR (though, you're still probably over at the company, even though they'll diplomatically pretend that you're not, because you are in 100% corporate butt-covering territory now, in a place that puts someone very dishonest as a director).
> though, you're still probably over at the company, even though they'll diplomatically pretend that you're not
If you're professional about it (be factual, straightforward, and don't do a burn-the-world email blast), I wouldn't assume this to be true. Sometimes companies simply make bad high-level hires and are happy about exposing and terminating them.
Or sometimes not. But the vast majority of CEOs want to know when their direct reports are lying to them and would be happy about this outreach.
I've heard of that happening. An engineer somehow realized that top leadership wasn't getting an accurate story about the state of a bet-the-company engineering project, so the engineer went over the head of the VP (I don't know to whom). Turned out that upper leadership felt the VP had been lying to the board. Presumably because of where that left the business, the majority of employees were hit by a series of layoffs, but the engineer who'd blown the whistle to execs was still there, one of the last people, presumably very trusted/favored.
Though I've heard a lot more stories of the little people being considered disposable, and occasionally kill-the-messenger. :)
How do you even TRUST the leadership and that point?
I've been in this situation before, and the ideas in my head are basically paranoia. How do I trust that my manager isn't going to throw me under the bus in the next project? How would I EVEN KNOW?
One thing that I would just highlight with your options: be extra sure to save receipts for everything - that means screenshots, even with an external camera if you're worried about corporate spyware.
If you have everything well-documented, the likeliest outcomes look pretty good for you:
1. If you bring up the issue to HR or to a higher-level exec and they are competent, they will immediately either address the problem with the director or fire them for cause.
2. If you bring up the issue and they are shitty and try to fire you, it's honestly like free money for you if you have good evidence. If they're not complete idiots they'll settle in a heartbeat because their number one priority will be damage control.
Do not lie to the government, even if you are following orders. In the US, federal and state law differ, but most have some variant of the federal false claims statute: https://www.law.cornell.edu/uscode/text/18/287
> Whoever makes or presents to any person or officer in the civil, military, or naval service of the United States, or to any department or agency thereof, any claim upon or against the United States, or any department or agency thereof, knowing such claim to be false, fictitious, or fraudulent, shall be imprisoned not more than five years and shall be subject to a fine in the amount provided in this title.
This has been interpreted very broadly to encompass pretty much anything you submit to the government in support of the government paying you or your company money.
Probably nobody will notice, and you probably won’t get prosecuted. But this stuff comes to light all the time if something goes sideways, or if the government is investigating something else.
If the boss said "put that we pen tested" couldn't op argue that he was answering to the best of his knowledge given the information the director gave him. As long as he had the email receipts, or would there be an argument that he should have known differently and shouldn't have replied on the other directors assertion that it had been pen tested.
> If the boss said "put that we pen tested" couldn't op argue that he was answering to the best of his knowledge given the information the director gave him.
No.
If the OP was not in a position yo know if they had pen tested, and the director said that they had, maybe, but in this case AFAICT the OP was in a position to know, the director was not except through the OP, and the director dictated a statement that was “more political”, not a correction of fact, that the OP knew to be inaccurate, and the OP dutifully put it into the document intended for the customer and while in parallel repeating concerns about its truthfulness to the director.
I think this is the way to go as well. He might have simply said he wasn't at the firm when the pentesting was carried out and he would search for the documentation. He should have sent emails to his managers about where he could obtain the initial pentesting documentation.
> "we did pen testing when we launched, but haven't done it since".
Well… was it before you joined the company?
You tell them in that case that was before your time and you quote your boss.
I’m not sure why you replied no to begin with, if you didn’t know. You should have asked your boss about it first and take his word.
During the zoom call, you can simply reply that your boss told you so and ask him to produce the old report if it’s still in his possession.
Anyways I think these tests (iso 27001) should be held regularly to mean anything.
Being compliant in 2021 doesn’t hold the same “level of guarantee” in 2023.
And that last part is up to your client’s policy.
Do they need a recent third party audit or whatever… you should ask them questions and check with your boss if it’s worth the spending.
Nowhere does the author say they were unsure whether it had happened:
> I, truthfully, wrote that we had never pen tested our software. ... They provided me with an answer to the pen testing question that essentially said "we did pen testing when we launched, but haven't done it since". I made sure they were aware that this wasn't true.
Three years into a job as the most senior technical employee, I'd expect him to know if there were any pen tests done before he joined. It sounds to me like this is a pretty garbage company, where the one developer with a clue feels like he has no agency. I believe him if he says they didn't do any pen testing before he was there.
If I was going to get fired it’d be for telling the truth. Saying no is allowed. If they fire you for telling the truth and there is evidence to support your position then sue the fuck out of them for unfair dismissal.
Since your comment references sueing, I’m going to assume you’re in the US, where almost all employment is “at will”. They can dismiss you for any reason as long at it’s not a protected one. Telling the truth and being a jerk is not a protected status, so you won’t be getting anywhere with that lawsuit.
In the US retaliation by an employer for an employee reporting inappropriate or unlawful conduct to a superior is unlawful. This is a protection granted at the federal level.
The corporations have done a good job convincing most people that “at will” means they can let you go at any time for any reason. They can’t. But we’re in Get A Lawyer territory.
How does that work when the employer puts you in a position where you must provide an answer, the expected answer would involve commiting a crime, and the only alternative is to tell the truth? Whether we like it or not, employers have a lot of leverage over employees. Arguably, it is one of the reasons why employees are paid disproportionately less. Such protections should exist.
I'll believe youbif you claim they don't. I'm not an American, nor do I work for an American firm. On the other hand, I do find it ironic that a country would tout law and order while not providing the means for individuals to uphold that ideal.
I've broken my habit of retreating from customers. After all, if you don't know their pain, how are you to be an effective yardstick of Quality? If people try to keep you away from the customers/users, you beeline to the customers
This is IMHO why programming/IT should be treated as a "real Engineering" in some cases, or at least have one of the devs (head of the project?) have a proper degree.
I studied a different Engineering, and in multiple courses the emphasis was in the actual approval/signing. The only practical difference between a technician and the Engineer in many cases was that the Engineer could actually sign off the project (or not). And thus it was made very clear that signing a document like in this Workplace question would be a big deal, since the responsibility was theirs to make sure things were compliant.
My first real software engineering job came more from that tradition, where our division started as a startup of EEs and CEs, serving mil/aerospace/datacomm. So I started as a Software Technician I (and there was also a Technician II, before Engineer I). There were signoff matrices, etc.
People were scrappy, making ambitious new things happen, but honest.
Sheltered by lucky upbringing and early career experiences, I was shocked the first time I encountered someone in industry doing something dishonest.
In the current "tech" industry, I'm no longer shocked, just frequently disappointed in what I see throughout much of the industry.
I recently realized that some pretty ordinary tech ethics today is what, decades ago, was the stereotype of an "MBA". It was also a stereotype that "engineers" didn't trust "business people". Today, seems there's less cultural distinction between the groups, at least the stereotypes.
The whole reason that we have to go out of our way to promulgate and adhere to ethics is because otherwise ethics will be abandoned in the race to the bottom.
It's long past time that "software engineer" became a protected term in the US, as unpopular as that may be among resume-padders.
> And thus it was made very clear that signing a document like in this Workplace question would be a big deal, since the responsibility was theirs to make sure things were compliant.
It sounds like OP would have refused to sign this document if asked.
So is that good for OP? Or is this a situation where not signing doesn't matter?
I was in a similar position once, but it was an audit questionnaire about our usage of software - we only had one production instance licensed, not the backup instance or development instances. My director wanted me to state that we only used the one instance, I refused and said I'd leave the pertinent sections blank (for the director to fill in), but I wasn't going to lie about our usage.
That's when I started looking seriously for a new job, and had left the company within a month, a few months later they went out of business after they had to pay hundreds of thousands of dollars in back licensing fees since the vendor had evidence that their software product had been used beyond the single production instance.
I think if they'd been upfront about the usage, the company would have negotiated a fair license fee going forward without pushing for past usage to be paid too.
I think this is a form of boilerplate for acknowledging that no lawyer will want to give you legal advice without a more detailed phone call, and the acknowledgement that a non-lawyer can’t really offer legal advice.
The way I handle this is to ask “how strongly would you be encouraging me to get a lawyer right now?”
I'd think the same. That's why in some law forums you are expected to write your questions in the manner of "suppose the hypothetical case that person X did Y, ..." instead of "I did Y, ...". So people are only talking about a theoretical case, and not give actual legal advice.
I would go with "I was not present for any penetration testing at launch, and I'm unable to find any reports related to it. However, penetration testing done that long ago would have little current value anyway. What I will do is talk to my leaders and get regular penetration testing scheduled, and get that schedule to you asap".
> However, penetration testing done that long ago would have little current value anyway. What I will do is talk to my leaders and get regular penetration testing scheduled, and get that schedule to you asap".
Just leave that out. No point in saying it other than to make more trouble and work for yourself.
I wouldn't put that t exactly like that, but I would talk to the director and put something similar.
Most compliance frameworks like SOC 2 have a requirement for an annual pen test, so if the pen test was over a year old it wouldn't matter anyway. Best approach would just be to talk to the director and say something along the lines of "Our next pentest is scheduled for date XYZ and we can send you those results upon completion".
People who tend to freak out in situations like these where "let's lie" is their go-to, when an honest approach is possible that will likely get the job done, scare me.
Readit News
If you're an honest person, assume that your job under that director (and probably at the company entirely) was over as soon as they asked you to make a fraudulent engineering statement. Even if they backpedaled when you resisted, you're not a team player with them, and you're a threat to someone very dishonest.
At that point, options:
* just leave;
* consult a labor attorney (you can get a free initial consultation); or
* go above the director's head, probably (in a small company) to the owner/CEO, whatever attorney is on staff or they retain, or HR (though, you're still probably over at the company, even though they'll diplomatically pretend that you're not, because you are in 100% corporate butt-covering territory now, in a place that puts someone very dishonest as a director).
If you're professional about it (be factual, straightforward, and don't do a burn-the-world email blast), I wouldn't assume this to be true. Sometimes companies simply make bad high-level hires and are happy about exposing and terminating them.
Or sometimes not. But the vast majority of CEOs want to know when their direct reports are lying to them and would be happy about this outreach.
Though I've heard a lot more stories of the little people being considered disposable, and occasionally kill-the-messenger. :)
I've been in this situation before, and the ideas in my head are basically paranoia. How do I trust that my manager isn't going to throw me under the bus in the next project? How would I EVEN KNOW?
Don’t write things that are not true.
If you have everything well-documented, the likeliest outcomes look pretty good for you:
1. If you bring up the issue to HR or to a higher-level exec and they are competent, they will immediately either address the problem with the director or fire them for cause.
2. If you bring up the issue and they are shitty and try to fire you, it's honestly like free money for you if you have good evidence. If they're not complete idiots they'll settle in a heartbeat because their number one priority will be damage control.
> Whoever makes or presents to any person or officer in the civil, military, or naval service of the United States, or to any department or agency thereof, any claim upon or against the United States, or any department or agency thereof, knowing such claim to be false, fictitious, or fraudulent, shall be imprisoned not more than five years and shall be subject to a fine in the amount provided in this title.
This has been interpreted very broadly to encompass pretty much anything you submit to the government in support of the government paying you or your company money.
Probably nobody will notice, and you probably won’t get prosecuted. But this stuff comes to light all the time if something goes sideways, or if the government is investigating something else.
No.
If the OP was not in a position yo know if they had pen tested, and the director said that they had, maybe, but in this case AFAICT the OP was in a position to know, the director was not except through the OP, and the director dictated a statement that was “more political”, not a correction of fact, that the OP knew to be inaccurate, and the OP dutifully put it into the document intended for the customer and while in parallel repeating concerns about its truthfulness to the director.
Well… was it before you joined the company?
You tell them in that case that was before your time and you quote your boss.
I’m not sure why you replied no to begin with, if you didn’t know. You should have asked your boss about it first and take his word.
During the zoom call, you can simply reply that your boss told you so and ask him to produce the old report if it’s still in his possession.
Anyways I think these tests (iso 27001) should be held regularly to mean anything. Being compliant in 2021 doesn’t hold the same “level of guarantee” in 2023.
And that last part is up to your client’s policy.
Do they need a recent third party audit or whatever… you should ask them questions and check with your boss if it’s worth the spending.
> I, truthfully, wrote that we had never pen tested our software. ... They provided me with an answer to the pen testing question that essentially said "we did pen testing when we launched, but haven't done it since". I made sure they were aware that this wasn't true.
Three years into a job as the most senior technical employee, I'd expect him to know if there were any pen tests done before he joined. It sounds to me like this is a pretty garbage company, where the one developer with a clue feels like he has no agency. I believe him if he says they didn't do any pen testing before he was there.
My current company won’t let me near customers.
He likely would have a wrongful termination case, depending on state whistleblower statutes.
I'll believe youbif you claim they don't. I'm not an American, nor do I work for an American firm. On the other hand, I do find it ironic that a country would tout law and order while not providing the means for individuals to uphold that ideal.
I truly don’t understand how people work and still have no idea what at will actually means.
I studied a different Engineering, and in multiple courses the emphasis was in the actual approval/signing. The only practical difference between a technician and the Engineer in many cases was that the Engineer could actually sign off the project (or not). And thus it was made very clear that signing a document like in this Workplace question would be a big deal, since the responsibility was theirs to make sure things were compliant.
People were scrappy, making ambitious new things happen, but honest.
Sheltered by lucky upbringing and early career experiences, I was shocked the first time I encountered someone in industry doing something dishonest.
In the current "tech" industry, I'm no longer shocked, just frequently disappointed in what I see throughout much of the industry.
I recently realized that some pretty ordinary tech ethics today is what, decades ago, was the stereotype of an "MBA". It was also a stereotype that "engineers" didn't trust "business people". Today, seems there's less cultural distinction between the groups, at least the stereotypes.
It's long past time that "software engineer" became a protected term in the US, as unpopular as that may be among resume-padders.
Deleted Comment
It sounds like OP would have refused to sign this document if asked.
So is that good for OP? Or is this a situation where not signing doesn't matter?
That's when I started looking seriously for a new job, and had left the company within a month, a few months later they went out of business after they had to pay hundreds of thousands of dollars in back licensing fees since the vendor had evidence that their software product had been used beyond the single production instance.
I think if they'd been upfront about the usage, the company would have negotiated a fair license fee going forward without pushing for past usage to be paid too.
> To be clear I'm not looking for legal advice, just opinions from people who may have been in a similar situation
I'm going to go ahead and say they are going to dig themselves deeper in the hole.
The way I handle this is to ask “how strongly would you be encouraging me to get a lawyer right now?”
Just leave that out. No point in saying it other than to make more trouble and work for yourself.
Most compliance frameworks like SOC 2 have a requirement for an annual pen test, so if the pen test was over a year old it wouldn't matter anyway. Best approach would just be to talk to the director and say something along the lines of "Our next pentest is scheduled for date XYZ and we can send you those results upon completion".
People who tend to freak out in situations like these where "let's lie" is their go-to, when an honest approach is possible that will likely get the job done, scare me.