Cybersecurity often does not discuss intentional vulnerabilities and becoming your threat actor. While we often focus on threat actors and vulnerable codes, we must recognize that we can work against our best interests even with the best intentions. One area where this often occurs is with website developers who try to safeguard their work by incorporating code that gives them access to the site files, known as a backdoor. This is often done to protect against non-payment by clients, but it comes with potential ethical, legal, and security risks.
Hardcoding a backdoor into a website is not a viable solution and should be avoided. It violates laws in many countries and could lead to fines or even jail time. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) clearly defines the illegal use of computer systems. The penalties for violating this act include sentences up to life in prison and significant financial penalties. Additionally, intentionally damaging a website is unethical and can lead to negative word-of-mouth, damaging the developer’s reputation and impacting future profits.
Rather than adding a backdoor, it is better to set clear expectations with a client regarding deliverables and how late or missing payments will impact them. It is crucial to use written contracts to specify these expectations and have an attorney review them for potential issues. For example, an agreement outlines that only code will be provided with full payment. In that case, the developer must only implement the code on the production server once fully paid. A development server under the developer’s control should always be used, and once agreements have been met, the code can be moved from the development server to the client’s production server.
In conclusion, intentional vulnerabilities and backdoors are not viable for safeguarding work. The risks outweigh the potential benefits, and it’s essential to find better options that maintain security and ethical standards. Clear communication and written contracts are crucial to avoiding these risks and protecting developers and clients.