[alexlarsson]

This seems like a pretty bad idea. All you do is work around the security rules of the agency. If your "easy to install" software has some kind of security exploit in it you just gave someone access to all the work you were doing on your "virtual workstation", which might be pretty bad.

Its probably less bad than an exploit of some locally installed software, but if you do most of your work in the vm it can still be pretty bad.

I understand that you're pissed of at the security rules making your job hard, but the correct fix is to fix policy, not work around it.

[JPKab]

Yeah, he can get right on fixing the policy. All he has to do is go talk to Obama and right after that he can get lunch with the Secretary of Defense and show him a powerpoint about why everything the government does with IT security is stupid.

Then, 3 years later, he can get started doing work.

[esonderegger]

To me, it comes down to whether the deliverable is the source code itself or the process by which the source code is created.

If the deliverable is static html, for example (it often is), then it shouldn't matter if that static html is authored in Eclipse or Sublime Text. By all means, the dependencies used in java projects should be scrutinized. The problem is, when it is too cumbersome to even experiment with something new from the open-source community, you end up trying to create your own in-house solution, which is way more expensive and usually less secure.

Fortunately, even top levels of management have recognized this problem. Virtual workstations are just one of a couple proposed solutions, but it's a serious option.