[lowercased]

just went through a process audit with a major financial company. they were vetting our setup to connect and grab info from them for use in a product. The auditor flipped out when he learned that "developers" would potentially have access to our live production database (not theirs mind you - our own).

"This is unacceptable, developers can write code and could exfiltrate data".

"Umm... someone needs to be doing database updates, backups, restores, etc. Who do you suggest do that?" (bear in mind there's only 3 tech people on our team, and only 6 people total involved in the company's business).

"Typically a DBA or a manager would do that work. It would need to be someone who couldn't write any code to exfiltrate data".

We just sat on the call for another minute or so. I asked him to detail out the process by which someone who should be incapable of 'exfiltrating code' should also be the person who has access to manage the structure of a production database. We got nothing back except a checklist of stuff that we'd 'failed' with no remediation suggestions.

So... apparently some large companies do not consider DBAs as "developers" for certain checklists.

[icedchai]

Did you ask them why a DBA would write code to exfiltrate the data, when they could just copy the backup off site and do it at their leisure?

[reaperducer]

Wow. Just wow. Because I've actually seen this happen elsewhere (not financial), and I thought it was a one-off.

[rjplatte]

Data Security the hard way