Im seeking some advice on how to deal with some ITSEC paranoia. I am working as a DevOps in a fairly large company and my team is constantly clashing with the guys from ITSEC.
We have setup a secure working process so that every change to servers / clusters is managed through infrastructure-as-code using terraform. The change is applied using an automated process with a service principal after the feature-branch was approved from a colleague. Nothing is committed into master without review of the pull-request. And then the changed is promoted from DEV stages to TEST, QA and finally PROD.
Now the ITSECs did argue that a malware somehow could get hold of the developer workstation and wait to come in action with its attack, till the changeset in the Pull-request gets eventually complicated and big enough to be overlooked by the reviewer. Therefore remote developer via internet access must never be allowed.
They also came up with the situation that a dirt-cheap developer from India could get hired using his old insecure notebook with OS/2.
No, i’m not making up this shit. I’m metally exhausted after discussing with them.