Stephen Friedrich wrote:
Now I have two choices:
I either fulfill this requirement or I try and pick a fight.
<devils_advocate>
And apparently, since everyone in your organization is equally lazy, the
guidelines will stay fixed forever. :)
</devils_advocate>
Seriously, if the link Andrew provided doesn't motivate a change, or
review at least, maybe it is time to find a new employer. At the very
least, the sane approach is for all new projects to adopt a more modern
set of standards. Updating legacy stuff might be cost prohibitive, but
new projects shouldn't have to pay a hefty price (equate it to dollars)
for compatibility with unsupported security risks. You might even try
the angle that it represents a potential liability to your company
because there are no further security patches. Regardless, if the suits
can't provide tangible proof that the requirement is real (e.g. a major
client who can't upgrade for some feasible reason, internal deployment
only etc.), they have demonstrated a serious lack of foresight, and who
wants to be saddled with that? And finally, it is most decidedly not "a
fight". If you go into it with that mentality and get your ass kicked,
you deserve it. Find out where the resistance is coming from and what
kind of context is required to specify your evidence in terms that they
will understand. Analyze the situation and propose a solution. If your
bosses can't respond to that kind of presentation reasonably, it is time
to get out.
--
Shane
