# Draft message to Tom (for Mike's review before sending) **Channel:** suggest a direct email or Teams/Slack to Tom — NOT buried in the #32378 security ticket (that ticket carries the full alarming findings; this message is intentionally light and solution-focused). **Tone goal:** lead with relief; one concrete, bounded ask; respect the 20 years; no threat-model dump. --- **Subject:** Glaztech site — what we're handling, and the one spot we'd love your help Hi Tom, First off — thanks for everything you've kept running on the site over the years. It's a lot, and the last thing we want is to pile onto your plate. So here's the plan: **we're taking the heavy lifting on the security side ourselves.** On our side — you don't need to touch any of this: - Locking down the server and tightening the database permissions - Putting a web application firewall in front of the site - Tightening the network/firewall around the database server There's **one** place where your hands are really the right ones. There's a specific set of **~59 older SQL queries** in the site that build their statements by stitching text together. We'd like to switch those to use parameters instead — it's the single highest-value code change for hardening the site, and it's a contained, repetitive update (no redesign, no new frameworks). **We'll hand you the exact list — the files and line numbers — so you're not hunting for them.** If it's easier, we'll hop on a quick call and walk the list together. There is a bigger item further down the road — modernizing how saved cards/payments are handled — but that's a project we'll plan and scaffold **with** you when there's bandwidth. No rush, and we'll do the legwork around it; it's not something we're asking you to take on right now. That's really the whole ask for now: the 59 queries (with the list in hand), and we cover the rest. Let me know what works for the walkthrough. Thanks, Mike / Arizona Computer Guru --- ### Notes for Mike (not part of the message) - **Prerequisite before sending:** ACG should run the §2a source grep first so the "exact list of 59 lines/files" is actually in hand when Tom replies — don't promise the list and then make him wait. (Assessment C3 names the files: `ach.aspx.vb`, `quick-pay-ach.aspx.vb`, `quick-pay-pnc.aspx.vb`, `quick-pay.aspx.vb`, `order-detail*` + the `quo()` definition.) - **Held back deliberately** (keep the first ask minimal): the customer-vs-employee path-map review and the `/emp/` VPN-gating. Raise those as a separate, lighter touch once the 59-query ask is moving, or have ACG derive the map from logs/source and just confirm a couple of points with him. - **Not mentioned:** the full threat model, plaintext passwords, the domain-admin/`msdb`/`xp_cmdshell` chain — all ACG-side, handled without burdening Tom.