• @[email protected]
    link
    fedilink
    85
    edit-2
    2 months ago

    In my experience it’s been IT people telling me you can’t use a certain tool or have more control over your computer cause of their rules.

    The expression is appropriate but the meme assumes that im doubting the IT person’s expertise. I’m not, I’m just not liking the rules that get in the way of my work. Some rules do make sense though.

    Edit: just wanted to point out, yes I agree, you need the rules, they are still annoying tho.

      • Ethan
        link
        fedilink
        English
        52 months ago

        Their rules have stopped me from being able to do my job. Like the time the AV software quarantined executables as I was creating them so I literally could not run my code. When security enforcement prevents me from working, something needs to change.

    • @[email protected]
      link
      fedilink
      132 months ago

      I think you probably don’t realise you hate standards and certifications. No IT person wants yet another system generating more calls and complexity. but here is iso, or a cyber insurance policy, or NIST, or acsc asking minimums with checklists and a cyber review answering them with controls.

      Crazy that there’s so little understanding about why it’s there, that you just think it’s the “IT guy” wanting those.

      • @[email protected]
        link
        fedilink
        182 months ago

        I thought my comment was pretty clear that some rules are justified and that the IT person can just be the bearer of bad news.

        Maybe not, hopefully this comment clarifies.

      • @[email protected]
        link
        fedilink
        102 months ago

        So you don’t trust me, but you trust McAfee to give it full control over the system. Yet my software doesn’t work because something is blocked and nothing is showing up in the logs. But when we take off Mafee, it works. So clearly McAfee is not logging everything. And you trust Mcafee but not me? /s kinda.

        • @[email protected]
          link
          fedilink
          5
          edit-2
          2 months ago

          No one on earth trusts McAfee, be it the abysmal man or abysmal AV suite.

          If the EDR or AV software is causing issues with your code running, it’s possibly an issue with the suite, but it’s more likely an issue with your code not following common sense security requirements like code signing.

            • @[email protected]
              link
              fedilink
              22 months ago

              It’s not common, but it should be.

              Still, that was just one example. EDR reacting to your code is likely a sign of some other shortcut being taken during the development process. It might even be a reasonable one, but if so it needs to be discussed and accounted for with the IT security team.

              • @[email protected]
                link
                fedilink
                12 months ago

                You’re talking about during CI. Not during the actual coding process. You’re not signing code while you’re debugging.

      • @[email protected]
        link
        fedilink
        4
        edit-2
        2 months ago

        I worked in software certification under Common Criteria, and while I do know that it creates a lot of work, there were cases where security has been improved measurably - in the hardware department, it even happened that a developer / manufacturer had a breach that affected almost the whole company really badly (design files etc stolen by a probably state sponsored attacker), but not the CC certified part because the attackers used a vector of attack that was caught there and rectified.

        It seemingly was not fixed everywhere for whatever reason… but it’s not that CC certification is just some academic exercise that gives you nothing but a lot of work.

        Is it the right approach for every product? Probably not because of the huge overhead power certified version. But for important pillars of a security model, it makes sense in my opinion.

        Though it needs to be said that the scheme under which I certified is very thorough and strict, so YMMV.

    • @[email protected]
      link
      fedilink
      112 months ago

      As an IT guy, I’d love to give software devs full admin rights to their computer to troubleshoot and install anything as they see fit, it would save me a lot of time out of my day. But I can’t trust everyone in the organization not to click suspicious links or open obvious phishing emails that invite ransomware into the organization that can sink a company overnight.

      • @[email protected]
        link
        fedilink
        82 months ago

        Fair points but as someone who works in cybersecurity. Phishing emails can happen without admin access. I haven’t heard of any randsomware that is triggered by just clicking on a link.

        I think there should be some restrictions but highly technical people should slowly be given more and more control as they gain more trust/experience.

          • @[email protected]
            link
            fedilink
            42 months ago

            Exactly this. we try to prevent cyberattacks as much as we can, but at a certain point, they’re impossible to perfectly defend against without also totally locking down our users and making it impossible for them to do their jobs. so then the game becomes one of containing the amount of damage an attack can do.

            Security is restriction. our job is to balance our users’ ability to perform their jobs with acceptable levels of risk.

      • socsa
        link
        fedilink
        22 months ago

        This is why we only hire competent engineers.

    • @[email protected]
      link
      fedilink
      102 months ago

      And the more corporate the organisation the more rules, at least the places I have worked trusts developers enough to give local admin, that takes the edge off many tasks.

    • @[email protected]
      link
      fedilink
      32 months ago

      I think the meme is more about perspectives and listening to the way someone thinks about operating IT is very different from the way someone things about architecting IT