I just had a super fun discussion with one of the program managers on my team. Our software is going through an external security review right now (a normal and healthy part of releasing and operating trustworthy products), and this person found some obscure scenario that’s completely unrelated to the work we’re doing. She stopped by to “coach” me on how to respond, just in case the auditors ask about it. (They won’t.)
Here is the very much abbreviated version of our discussion. For simplicity, please note that I replaced all of the technical security jargon with “bear traps.”
Her: If they ask if we use bear traps, tell them you’ll have to get back to them after you talk to our manager.
Me: No. If they asked if we use bear traps, I’m going to tell them “No.”
Her: Why would you do that?
Me: Because we definitely do not use any bear traps. I built the system and know this to be true. I do not need to confer with our manager first about this fact.
Her: But if you tell them “No” it will set off a red flag and may put us out of compliance.
Me: That’s correct. If our customers require the use of bear traps, and we do not have any bear traps, then we should fail the bear traps test. This is how testing works.
Her: You shouldn’t tell them that.
Me: Are you asking me to lie?
Her: No. I’m just asking you to delay the truth so we can craft an appropriate response.
Me: The appropriate response is that we don’t use bear traps. If we need to use bear traps, I can build and deploy them with our next release, but that will require us to end this conversation now.
Her: I’ll run this by our manager.
Me: Please give her my best.
Ugh. I need to set some bear traps near my office door.