May 5, 2021

Advice: How to deal with corporate paranoia BS as a software developer

Im seeking some advice on how to deal with some ITSEC paranoia. I am working as a DevOps in a fairly large company and my team is constantly clashing with the guys from ITSEC.

We have setup a secure working process so that every change to servers / clusters is managed through infrastructure-as-code using terraform. The change is applied using an automated process with a service principal after the feature-branch was approved from a colleague. Nothing is committed into master without review of the pull-request. And then the changed is promoted from DEV stages to TEST, QA and finally PROD.

Now the ITSECs did argue that a malware somehow could get hold of the developer workstation and wait to come in action with its attack, till the changeset in the Pull-request gets eventually complicated and big enough to be overlooked by the reviewer. Therefore remote developer via internet access must never be allowed.

They also came up with the situation that a dirt-cheap developer from India could get hired using his old insecure notebook with OS/2.

No, i’m not making up this shit. I’m metally exhausted after discussing with them.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.