this post was submitted on 08 Jan 2025
261 points (100.0% liked)
Programmer Humor
22352 readers
2719 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
IT guy here, if we gave developers the option to exclude whatever the hell they wanted from AV scanning it would just mean that we would end up with computers where the entire C: drive would be excluded.
No, can't have that.
So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?
Well, the least bad solution I have worked with was to have a non generic path that was excluded by policy.
Something like C:\Excluded
The directory was excluded from AV scan and allowed in policy, the user could put what they needed there and it would be fine.
Give them a Linux machine?
This doesn't remove security and compliance requirements for the business though. For our Linux endpoints we still deploy an AV on them and limit the user's ability to add exclusions.
Huh, weird. The IT guys I work with don't just know Windows, when I joked about wanting a Linux instead they pointed out that we have software devs using Linux too. I'd need some reason to request it, but if I know the right people (and more particularly, what their favourite snacks are), I could probably get it approved.
(Doesn't actually help me, given I'm stuck using proprietary tools that I couldn't get to run with wine, but at least the option is there. And that's a big corp.)
A machine that takes extra time and skills to manage?
As someone who does exactly that right now. Yes.
You need a Linux machine in a separate network with separate firewall rules and the developer has to devote a bit of their time to managing that machine.
It can even be centrally managed, if you have the capacity.
But why would you want that? To secure your shit while allowing the devs to to what they like to their equipment.
In an ideal world I agree with you, but when resources are limited, running a separate environment is not allways realistic.
^ this
As an example of scale, my company has an entire IT team of a handful of people for managing such an environment for a thousand or so devs and engineers.
My past role was a combined role of these:
Helpdesk technician
VIP technician
Linux system administrator
We didn't effectively administrate the Linux environment, I was the only linux admin at the company, and I wasn't even doing it full time.
I appreciate you trying to keep your developers productive. Deeply appreciate the concern.
Your user base must be better than mine.
Some chucklefuck over a decade ago caved to the "need" for a public shared drive. I can see the argument for things like HR policy documents and such. But they didn't just give all users read access. Oh no, everyone got full read write. No fucking governance model, no process to check that PII wasn't being stored there by people too lazy to follow proper procedure.
Thankfully that horror has been thoroughly killed, and MS Teams makes it so easy for people to spin up collab spaces and file storage that there's no use case anymore.