[emj]

"Application Whitelisting" Does that actually work anywhere except in an boring office? Everyone that has a functioning devshop always has too many holes in their whitelists to effectively protect them. Client machines WITH credentials has to be made untrusted.

[yoloClin]

There's no reason it can't work in say development environments - the simplest approach is to configure whitelisted directories which permit execution in most solutions. It's not perfect but it helps prevent execution of questionable downloads / attachments.

> Client machines WITH credentials has to be made untrusted.

Network segregation is better if you truly care about security and costs in productivity. I think you'll find higher end environments have a 'trusted box' and a 'development box' which physically sit side-by-side on different networks.

[emj]

We might discussing this from different views, network segregation is important even if you build everything as zero trust, firewalling something it's one of the easiest way to not trust it.

I think the difference in perspective is that I only really need to work in very narrow an well defined interface to systems that can be hacked, so my view of what the attack surface is affacted by that, I do not care about. For me as long as revealing my password to my client is fine I'm fine. My client can be full of malware without affecting security severly.

Clean room; "leave everything connected on the outside", and variants of that is REALLY ineffective. I've measured that the waste from that, back then we spent alot of time classifing what software had to be developed in such an environment. You do not want to work that way.

[yoloClin]

I don't disagree that segregation is still important, but it really depends on specific environment technical details and threat models.

Firewalling AD networks, for instance, really won't help if the administrative security model is flawed (network admins using privileged account to maintain endpoints, privileged local administrative/maintenance credentials being reused on critical infrastructure, etc). The communication protocols for administration and general use are iirc pretty much require bidirectional traffic to work.

If you don't trust the host you develop on then everything produced on that host must be audited by a trusted host. Maybe that works in environments where cost is not an issue, but I would be somewhat skeptical of any environment which attempts that without the appropriate resources. It also doesn't help in situations where source code disclosure is an issue (eg a dev posting too much to pastebin/stackoverflow/inadvertently searching google for paste buffer full of data etc).