IT guy here, if we gave developers the option to exclude whatever the hell they wanted from AV scanning it would just mean that we would end up with computers where the entire C: drive would be excluded.
No, can’t have that.
So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?
Well, the least bad solution I have worked with was to have a non generic path that was excluded by policy.
Something like C:\Excluded
The directory was excluded from AV scan and allowed in policy, the user could put what they needed there and it would be fine.
At our place it’s the IT guys trying to tell us to exclude the entire Downloads folder. One of our devs had to put her foot down and say no, we’d do something more sensible/limited instead!
Some chucklefuck over a decade ago caved to the “need” for a public shared drive. I can see the argument for things like HR policy documents and such. But they didn’t just give all users read access. Oh no, everyone got full read write. No fucking governance model, no process to check that PII wasn’t being stored there by people too lazy to follow proper procedure.
Thankfully that horror has been thoroughly killed, and MS Teams makes it so easy for people to spin up collab spaces and file storage that there’s no use case anymore.
This doesn’t remove security and compliance requirements for the business though. For our Linux endpoints we still deploy an AV on them and limit the user’s ability to add exclusions.
Huh, weird. The IT guys I work with don’t just know Windows, when I joked about wanting a Linux instead they pointed out that we have software devs using Linux too. I’d need some reason to request it, but if I know the right people (and more particularly, what their favourite snacks are), I could probably get it approved.
(Doesn’t actually help me, given I’m stuck using proprietary tools that I couldn’t get to run with wine, but at least the option is there. And that’s a big corp.)
You need a Linux machine in a separate network with separate firewall rules and the developer has to devote a bit of their time to managing that machine.
It can even be centrally managed, if you have the capacity.
But why would you want that? To secure your shit while allowing the devs to to what they like to their equipment.
As an example of scale, my company has an entire IT team of a handful of people for managing such an environment for a thousand or so devs and engineers.
IT guy here, if we gave developers the option to exclude whatever the hell they wanted from AV scanning it would just mean that we would end up with computers where the entire C: drive would be excluded.
No, can’t have that.
So what should a decent IT department do to give developers the access they need to do their job while maintaining a decent level of security?
Well, the least bad solution I have worked with was to have a non generic path that was excluded by policy.
Something like C:\Excluded
The directory was excluded from AV scan and allowed in policy, the user could put what they needed there and it would be fine.
At our place it’s the IT guys trying to tell us to exclude the entire Downloads folder. One of our devs had to put her foot down and say no, we’d do something more sensible/limited instead!
Your user base must be better than mine.
Some chucklefuck over a decade ago caved to the “need” for a public shared drive. I can see the argument for things like HR policy documents and such. But they didn’t just give all users read access. Oh no, everyone got full read write. No fucking governance model, no process to check that PII wasn’t being stored there by people too lazy to follow proper procedure.
Thankfully that horror has been thoroughly killed, and MS Teams makes it so easy for people to spin up collab spaces and file storage that there’s no use case anymore.
Give them a Linux machine?
This doesn’t remove security and compliance requirements for the business though. For our Linux endpoints we still deploy an AV on them and limit the user’s ability to add exclusions.
You ever worked in an average corporate job? You’re missing out on so much
The IT guys barely know Windows, they’ve most likely never even heard of Ubuntu, could you imagine such a thing :|
Huh, weird. The IT guys I work with don’t just know Windows, when I joked about wanting a Linux instead they pointed out that we have software devs using Linux too. I’d need some reason to request it, but if I know the right people (and more particularly, what their favourite snacks are), I could probably get it approved.
(Doesn’t actually help me, given I’m stuck using proprietary tools that I couldn’t get to run with wine, but at least the option is there. And that’s a big corp.)
A machine that takes extra time and skills to manage?
As someone who does exactly that right now. Yes.
You need a Linux machine in a separate network with separate firewall rules and the developer has to devote a bit of their time to managing that machine.
It can even be centrally managed, if you have the capacity.
But why would you want that? To secure your shit while allowing the devs to to what they like to their equipment.
In an ideal world I agree with you, but when resources are limited, running a separate environment is not allways realistic.
^ this
As an example of scale, my company has an entire IT team of a handful of people for managing such an environment for a thousand or so devs and engineers.
My past role was a combined role of these:
Helpdesk technician
VIP technician
Linux system administrator
We didn’t effectively administrate the Linux environment, I was the only linux admin at the company, and I wasn’t even doing it full time.
I appreciate you trying to keep your developers productive. Deeply appreciate the concern.