Shall I use low quality insecure software if I'm asked to?

Question

I work for a finance startup managing the technical stuff. The COO decided to create a new web site using a contract developer and the owner of the company paid for it ($9k). I'm asked to use the new site (Joomla + plenty of custom PHP code), but it appears to be of very low quality and insecure. For example:

• It doesn't use source control or a framework.
• It doesn't use MVC. The PHP source files are 30k - 98k in size. They embed HTML, CSS, PHP, JS into one file.
• It uses the session id as an email verification token, allowing anyone who eavesdrops the email to hijack the session. verifyaccount=true&token=".session_id()."&eml=".$_POST["form_email"]."'>
• It doesn't use salts in the passwords. $hashedPassword = hash('sha256', $_POST['form_pswd']);
• It doesn't escape user input in SQL queries. WHERE u_password='".$hashedPassword."' && u_username='".$_POST["username"]."'");
• It doesn't encrypt personal information or financial information.
• It doesn't escape user input in HTML output. <input placeholder='Name' type='text' name='form_name' value='".$row["profile_name"]."'
• The database password is hardcoded in the source code. $mysqli = new mysqli("localhost", ...
• The CRUD design does not even have R-Read. There is no display of user info that is entered! I asked to make sure I wasn't missing something. The demo used a sham wrapper of a static CMS page. This is interpreted as "poking holes in it".
• It has 7 vulnerabilities according to a security scanning app, including XSS and clickjacking. I've shown the report.

I'm certain it's only a matter of time before it's hacked and I don't want my name on it. So I've tried to warn against it. Unfortunately the COO seems to have made his mind and believes my position is a personal issue. Most of my co-workers are non-technical and none has development skills, so nobody spotted the real issue.

How can I explain the boss/owner that it's not OK to use such an insecure and unmaintainable software, when the reasons are technical but knowing he spent a lot of money on it ?

Regardless of the objective arguments, I figure my options are:

1. State the facts and walk away.
2. Try to explain why it's bad. If success, continue with old Ruby on Rails site. If fail, walk away.
3. Try to fix the code myself. I dread this as it's very messy. It could take longer than expected.
4. Make the old site look like the new site. The new site does have nice design elements I can copy. Even though no one may know the difference, this option seems a bit disingenuous.

Answer 1

All the technical weaknesses that you've spotted do not have equal severity:

• Maintainability weaknesses, like absence of MVC or source code control, have economic impacts. This is purely an investment assessment of your boss: if he goes on with it, it will cost him and his shareholders more to keep it running, but this will erode his and his shareholders benefits. As he already paid the money, and startup resources are scarce, there is little probability that he'll revise his opinion. Nevertheless, you should inform him.
• Security weaknesses of this extreme severity are another story. It puts future customers at high risk (not only their privacy, but also their money). The question will not be if a breach could happen, but when it would happen. And then, police investigations would start and it would no longer an economic issue but a question of responsibility. You must tell him about the risks and their potential consequences. Recent stories like Equifax breach should raise a bell in his mind.

That's what I can say about the exposed facts. SE is not the place for career recommendations, and you shall not take the following for an advice but for a subjective personal opinion. If I were you, I imagine I'd go for option 2: explain him why it's very serious, and make clear that it's so serious that you consider to go away (this should raise his attention). It's a question of ethic code of conduct.

Additional remarks: you can still opt for option 1 after option 2. Option 3 would bring you to the situation you want to avoid (i.e. being co-responsible for the mess: if something would go wrong, you would be asked why you didn't fixed it as well). Option 4 suggests that there are look&feel aspects in your bosses decision. Why not propose to bring in an UI designer to improve the appearance of the old but more secure and robust site, to have the best of both worlds ?