azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a8abe4a14b194e484b17a086fee09a2aa9a4e88d
claudetools/clients/glaztech/reports/2026-06-05-tom-message-draft.md
Mike Swanson a8abe4a14b glaztech: staged-remediation pacing strategy + Steve approval + softened Tom message 
Adds the "from emergency to deliberate staged objectives" pacing strategy
(severity unchanged, tempo deliberate - the depth of the Glaz tools estate makes
rushing the bigger risk) and records Steve's blanket approval (Tier A
execution-cleared). Softens the Tom outreach to a partnership / not-a-fire-drill
tone per Mike.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 10:40:14 -07:00

55 lines
3.6 KiB
Markdown
Raw Blame History

# Draft message to Tom (for Mike's review before sending)
**Channel:** suggest a direct email or Teams/Slack to Tom — NOT buried in the #32378 security ticket
(that ticket carries the full alarming findings; this message is intentionally light and solution-focused).
**Tone goal:** lead with relief; one concrete, bounded ask; respect the 20 years; no threat-model dump.
---
**Subject:** Glaztech site — we're in this with you
Hi Tom,
We know the last few days have been stressful — the security scan dropped a real bomb in your lap, and
we don't take that lightly. Believe me when I say we're here to help: to keep Glaztech safe, and to help
**you** with the security side of the network and the site. You've kept this running for a long time — we're
not here to second-guess any of that. We're here to take the security weight off your shoulders and work
it *with* you.
Here's the reassuring part, now that we've had time to dig in: **this doesn't have to be a fire drill.**
What the deeper look showed is that the site, the GTIware tools, and the database all tie together pretty
tightly — and *because* of that, the right move is a calm, staged plan, not a rushed scramble. We handle
the urgent, self-contained pieces on our side right away, and work through the rest methodically,
together, without disrupting your day-to-day or your billing.
So here's what we're proposing.
The heavy infrastructure security is squarely our lane, and we'll carry it:
- Locking down the server and tightening the database permissions
- Putting a web application firewall in front of the site
- Tightening the network/firewall around the database server
And there's one place where your knowledge of the app is exactly what's needed — and where we'd be working
side by side with you. There's a specific set of **~59 older SQL queries** in the site that build their
statements by stitching text together; switching those to use parameters is the single highest-value code
change for hardening the site. It's contained and repetitive — no redesign, no new frameworks. **We'll
hand you the exact list — files and line numbers — and walk it with you on a call if that's easier**, so
it's a real collaboration, not a hand-off.
Down the road there's a bigger item — modernizing how saved cards/payments are handled — but that's a
project we'll plan and scaffold **with** you when there's bandwidth. No rush; we'll carry the legwork.
Bottom line: you're not on the hook to become a security expert overnight, this isn't a five-alarm
scramble, and you're not in this alone. We've got the infrastructure side, we'll hand you a clear, bounded
list for the code piece, and we'll work it together at a sane pace. Let me know a good time to connect.
Thanks,
Mike / Arizona Computer Guru
---
### Notes for Mike (not part of the message)
- **Prerequisite before sending:** ACG should run the §2a source grep first so the "exact list of 59 lines/files" is actually in hand when Tom replies — don't promise the list and then make him wait. (Assessment C3 names the files: `ach.aspx.vb`, `quick-pay-ach.aspx.vb`, `quick-pay-pnc.aspx.vb`, `quick-pay.aspx.vb`, `order-detail*` + the `quo()` definition.)
- **Held back deliberately** (keep the first ask minimal): the customer-vs-employee path-map review and the `/emp/` VPN-gating. Raise those as a separate, lighter touch once the 59-query ask is moving, or have ACG derive the map from logs/source and just confirm a couple of points with him.
- **Not mentioned:** the full threat model, plaintext passwords, the domain-admin/`msdb`/`xp_cmdshell` chain — all ACG-side, handled without burdening Tom.
Reference in New Issue View Git Blame Copy Permalink