[hotpotamus]

You know, the longer I'm at this, I see more and more effort thrown at developing security and one thing remains the same - you've got a user sitting at a machine with network access and the ability to execute code, and sometimes you can trick that user into executing code. I guess the bigger the company, the more users which means more targets/chances.

For decades I've been told that security through obscurity is no security at all, but in the back of my mind, I think it might be the best thing I've got going for me working at a small place. Though I should say, that's far from being our only security - we do work at it too.

[notakio]

Obscurity, by itself, may be an ineffective security strategy, but it does provide an additional layer on top of other layers of security to improve things, overall. There's a Spafford quote on this, but I'm failing to find it. Let's just pretend it's like what I said, but more eloquent.

[_Adam]

The best approach is to assume there's a renegade employee constantly trying to screw the company over. Granularity of permissions should be set to minimize the blast radius to the absolute minimum they need to do their job.

[bombcar]

Hell, you should offer an internal bounty to any employee who reports “I got access to something I shouldn’t need”.

[notakio]

Part of what I do first at any new employer is ask myself the question, "if I wanted to burn all of this to the ground, how would I do it?" I generally don't share the fact that I'm going through this little thought experiment with my management, but it helps triage what's currently "broken", and gives me a clearer focus on what needs to be fixed.

If I'm thinking about it, I can be assured that someone with differing motivations likely already has, or soon will be thinking about the same.

[UncleMeat]

This approach is possible but increases the complexity of your problem by enormous amounts. I know of only a very tiny number of companies that have an active goal of preventing rogue insider threats in a serious way. And the solutions do meaningfully inhibit developer productivity.