- September 28, 2015 at 4:33 pm #9503
I came across this blog post by Joe Strazzere. After the recent Volkswagen issues, Joe wondered how to react if asked to test software that was designed to cheat a test.
It made be think. Have you ever faced any ethical dilemmas as a tester? Have you tested software that while legal might not be wholly ethical (e.g. adware)?
If you were in that position as a tester at Volkswagen or at an out-sourced testing company, would you have tested that software or raised questions about it?October 2, 2015 at 12:57 pm #9551
It’s a difficult problem. I very much doubt that the testers would have been presented with software whose stated functionality was to cheat emissions tests. From the description of the violation provided by the US Environmental Protection Agency it seems that the “defeat device” was an integral part of the normal engine control software. If the testers understood how the software worked then they should have understood the implications. If the testers were unquestioning and doing low quality work I think it’s possible they could have been deceived. If nobody told them it the software was illegal they may have persuaded themselves there was nothing to worry about. However, I don’t think they could have carried out responsible testing and failed to spot it.
So what should they have done? I think that if they’d raised concerns within the project and got nowhere they should have informed the compliance and (or) audit professionals. These people have a responsibility to respond. Compliance is responsible for ensuring that the company complies with laws and regulations. Audit should identify and report on risks that might threaten the company.
I’ve never been in that position as a tester, but I’ve been on the other side as an auditor when people have raised concerns about something that was happening. It was our job to step in, investigate, and then if necessary to go over the heads of the management responsible, right to the very top. I wrote about this in my own blog.October 5, 2015 at 10:48 am #9564
This link is to very influential dynamic code (security vulnerability) scanning benchmark research undertaken by Shay Chen: http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
It seems unlikely the vendors of code vulnerability tools have not considered how to optimize their products to achieve the highest possible scores for the seven categories of tests e.g. Reflective Cross-Site Scripting (RXSS) but not Stored or DOM-based XSS. If so, surely the vendors would have conducted internal tests on the enhancements? Is that cheating?
These tools provide auditors and management huge confidence they are doing a great job in securing their systems. However, research by the University of California Santa Barbara suggests tools like these are only finding some of the low-hanging fruit and are actually missing more than half of all the real vulnerabilities due to fundamental flaws in the approach.
Why Johnny Can’t Pentest:
An Analysis of Black-box Web Vulnerability Scanners
By Adam Doup´e, Marco Cova, and Giovanni VignaOctober 5, 2015 at 12:47 pm #9569
Well someone must do it and i guess it is all about money if the testers know itOctober 7, 2015 at 12:03 pm #9591
@jameschristie That’s a fair summary of what to do. Who would be the auditor in this case? In general what does the auditor do with regards to if an issue is raised about a software. Would an auditor consider something like ethical issues. If the software was legal but still unethical are there issues to still be raised with an auditor?October 7, 2015 at 2:59 pm #9600
Internal auditors are in a powerful position because they are independent of the normal management hierarchy. They are accountable to the board. Good internal auditors cannot be intimidated by the threat to go over their heads because they know that is a bluff. If internal auditors have a concern they will raise it with senior management. If the concern is not addressed, and it it is sufficiently serious then they have the right and duty to escalate their concern all the way to the board, where there should be non-exec directors who are not involved in the management of the corporation. The VW scandal would certainly have been sufficiently serious to require internal audit to escalate to the very top – if they had been aware of what was happening.
Internal auditors have to report on significant risks that affect the corporation. The risk to which VW was exposed by the emissions cheating was obviously massive. Just look at the consequences of the scandal being exposed. Also, consider how likely they were to be caught. There was always a serious risk of that because independent emissions testers would obtain dramatically different results. That is how VW were caught. So a risk with dramatic, adverse consequences, and a significant probability of being realised, would be off the scale of any risk assessment.
Ethical issues are obviously tricky because personal values and subjective judgment are involved. Breaking the law introduces big risks in which auditors would be interested, quite separate from the ethics. As a rule of thumb I would describe ethical issues that require audit interest as being those which concern actions that are not illegal but which would be difficult to defend in public. They would entail some reputational damage. One possibility is developing software that is quite legal where it is being developed and tested, but which is intended for use in a jurisdiction where it would be illegal. Alternatively, using the software might actually be illegal, but developing it would be within the law and the company is intending to sell it or use it elsewhere. Another possibility is “creative compliance” where software is intended to exploit a loophole and defeat the ends of regulation. That could be very dodgy, because it could rest on a mistaken interpretation of the law and be genuinely illegal, or it might expose the company to very damaging publicity, or to damaging legal action before it could be established that it wasn’t illegal. There are all the sorts of things auditors would have a legitimate interest in.
It’s hard to say where auditors or testers should draw the line. I wouldn’t expect either to have any responsibility to act in the sort of routine, dark pattern usability tricks that some companies get up to. That means website features that designers know will trick users into selecting add ons, or more expensive purchases. Search for “dark patterns” and UX. It’s an interesting subject. I find that distasteful, and wouldn’t want to be involved, but that is a personal judgment rather than a professional one. Auditors would have a responsibility to get involved if the dark patterns edged over into fraud, or if there was a serious risk of damaging publicity. Companies that do it, but stay on the right side of the law, are generally known for that sort of behaviour, and have decided to live with the image. I’m not naming any airlines!October 8, 2015 at 9:19 am #9611
IMHO It is down to personal responsibility. Most if not all testers are bound by NDA’s and whistleblowers have little legal protection.
Engineers (I assume including testers) did raise the point internally but were rebuffed. When that happens you can do two things, you walk away or not.
In a big, politically significant project in the Netherlands where I was responsible for testing I chose to walk away when the project willfully kept software in place which I knew would brake regulations. I did not go to the authorities (in any case difficult when working on a gouvernment assignment) and I honored the NDA. But for me it was a moral descision not a legal one.
So I did raise questions (as did the engineers at VW) to the board and stepped away when I could not influence the outcome.January 14, 2017 at 11:56 am #14956
If there are people who make such things, you will certainly find many more people who will happily test it for you. Personally I would not like to be associated with such projects in any way. But you can easily be caught in a situation where you are not able to walk away from these things even if you wish to.
You must be logged in to reply to this topic.