Write review on this article with 2 references in APA format. (tim) For this prompt, consider a college intern working at a technology company who is bored with their job and decides to runs WebInspect or Burp Suite to perform web application assessments (Primal Security, n.d.) against the customer facing corporate website.
After the scans are complete, they see there are a number of critical severity vulnerabilities. From a policy perspective, usually, but not always, corporations require signed user agreements before access is granted to the network.
These agreements will (or should) include requirements to not install unauthorized software, and to not attempt to circumvent network security controls. Assuming the vulnerability scan results are not false positive, the broader issue in this scenario is why are there critical vulnerabilities on the public facing website to begin with?
If the intern was hired to support in internal cybersecurity group, he probably will not get fired for exercising tools that are in his area of responsibility. If the intern works in finance, downloaded the tools, and installed them there could be more significant issues to contend with such as termination.
Unless the intern was specifically tasked with finding vulnerabilities, they are under no obligation to report them. Many web vulnerability assessment tools apply classifications to vulnerabilities that have to be assessed in the broader context of the organization's compensating security controls. For example, a default critical vulnerability may only have moderate impact based on an organization's security architecture and also needs to be assessed in the context of threats that are applicable to the organization (NIST, 2012).
From a Biblical perspective, this is similar to the story of the Good Samaritan. Obviously, if you see someone hurt and bleeding on the side of the road, you need to stop and see if they need help.
But to a person passing by who might have been tricked the last time they offered to help someone, say they ended up getting robbed and assaulted, that person really can't be blamed for not wanting to get tricked again.
Similar to the intern in this scenario, if they realize they are going to lose their job if they report the findings, but feel ethically compelled to report anyway, they might consider reporting the findings anonymously. Similarly, in the Good Samaritan story, many people walked by, but even if they were too afraid to stop and intervene, they should have taken the time to report what they saw to someone further up the road. References NIST Joint Task Force Transformation Initiative Interagency Working Group, (2012).
Guide for Conducting Risk Assessments.
"Web Hacking" with Burp Suite. Retrieved August 31, 2017