Mike Swanson
a8abe4a14b
Adds the "from emergency to deliberate staged objectives" pacing strategy (severity unchanged, tempo deliberate - the depth of the Glaz tools estate makes rushing the bigger risk) and records Steve's blanket approval (Tier A execution-cleared). Softens the Tom outreach to a partnership / not-a-fire-drill tone per Mike. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3.6 KiB
Draft message to Tom (for Mike's review before sending)
Channel: suggest a direct email or Teams/Slack to Tom — NOT buried in the #32378 security ticket (that ticket carries the full alarming findings; this message is intentionally light and solution-focused). Tone goal: lead with relief; one concrete, bounded ask; respect the 20 years; no threat-model dump.
Subject: Glaztech site — we're in this with you
Hi Tom,
We know the last few days have been stressful — the security scan dropped a real bomb in your lap, and we don't take that lightly. Believe me when I say we're here to help: to keep Glaztech safe, and to help you with the security side of the network and the site. You've kept this running for a long time — we're not here to second-guess any of that. We're here to take the security weight off your shoulders and work it with you.
Here's the reassuring part, now that we've had time to dig in: this doesn't have to be a fire drill. What the deeper look showed is that the site, the GTIware tools, and the database all tie together pretty tightly — and because of that, the right move is a calm, staged plan, not a rushed scramble. We handle the urgent, self-contained pieces on our side right away, and work through the rest methodically, together, without disrupting your day-to-day or your billing.
So here's what we're proposing.
The heavy infrastructure security is squarely our lane, and we'll carry it:
- Locking down the server and tightening the database permissions
- Putting a web application firewall in front of the site
- Tightening the network/firewall around the database server
And there's one place where your knowledge of the app is exactly what's needed — and where we'd be working side by side with you. There's a specific set of ~59 older SQL queries in the site that build their statements by stitching text together; switching those to use parameters is the single highest-value code change for hardening the site. It's contained and repetitive — no redesign, no new frameworks. We'll hand you the exact list — files and line numbers — and walk it with you on a call if that's easier, so it's a real collaboration, not a hand-off.
Down the road there's a bigger item — modernizing how saved cards/payments are handled — but that's a project we'll plan and scaffold with you when there's bandwidth. No rush; we'll carry the legwork.
Bottom line: you're not on the hook to become a security expert overnight, this isn't a five-alarm scramble, and you're not in this alone. We've got the infrastructure side, we'll hand you a clear, bounded list for the code piece, and we'll work it together at a sane pace. Let me know a good time to connect.
Thanks, Mike / Arizona Computer Guru
Notes for Mike (not part of the message)
- Prerequisite before sending: ACG should run the §2a source grep first so the "exact list of 59 lines/files" is actually in hand when Tom replies — don't promise the list and then make him wait. (Assessment C3 names the files:
ach.aspx.vb,quick-pay-ach.aspx.vb,quick-pay-pnc.aspx.vb,quick-pay.aspx.vb,order-detail*+ thequo()definition.) - Held back deliberately (keep the first ask minimal): the customer-vs-employee path-map review and the
/emp/VPN-gating. Raise those as a separate, lighter touch once the 59-query ask is moving, or have ACG derive the map from logs/source and just confirm a couple of points with him. - Not mentioned: the full threat model, plaintext passwords, the domain-admin/
msdb/xp_cmdshellchain — all ACG-side, handled without burdening Tom.