We once had to fight for stackoverflow access. Security responds: you devs should only require the manual provided by the vendor(in this case: Oracle javadocs)?
Dash (or its Windows equivalent, name escapes me) can be used to view and search these dumps (as well as dumps from GitHub, language docs, etc) offline: https://kapeli.com/dash
I was recently told by an old-timer at my current company that at one point security tried to remove Visual Studio from developers machines because it had reported security incidents.
The problem with security people is that they think security is the most important thing.
The problem with devs is they think all security admins are reductionist. <3
A good security admin will work within the bounds of compliance to make the business work. And any good blocks will be apparent to the user. Trust me, security doesn't enjoy pissing people off, we just accept that it happens sometimes.
He was on the phone with the CISO who was explaining it's impossible to give him access to SPLUNK because of the network segmentation.
While he's ON THE PHONE, he received an email from the IT group with credentials to access splunk.
And to be clear, I left specifically because of their security stance. I was once told they couldn't automate pulling data from production because of the same reason as mentioned above, the network segmentation wouldn't allow it.
So no, developers aren't just whining because they can't directly access PAN.
Security people always think their concerns should trump everything else. I would almost be willing to bet 70% of the mind-numbingly stupid decisions made across the industry had some security justification behind it.
If human beings took the same approach to safety that Security people do to security, they'd insist the wheels on your vehicle should only be able to turn straight and right. That the vehicle should _actively_ prevent you from turning your wheels left because left turns are more dangerous than right turns and they can show that you can _always_ get to your destination with just right turns.
I'm sorry you're so traumatized by a handful of experiences, and seemingly at only one or two places, that you can't comprehend a workplace or institution with a reasonable security team. They exist. Maybe one day you'll find one.
One of my former employers has developers, network admins and security professionals working together to maintain a deployment pipeline using Github, terraform and AWS to let developers do as much as possible without having to request anything from security, ever. All the guardrails and checks are built in. Labs get to deploy just about anything, test and prod are identical, and prod has implicit restrictions on requiring encryption for data, prohibiting excessively powerful roles, and so on. But they've worked directly with development to get them everything they need ahead of time, in order to make IT and the business as effective as possible.
Security is necessary, and good security does what it can to stay out of the way.
Security people usually hate adhoc and one-off requests for random stuff from random people. If you are part of the required business process - then there is 100% established and approved way of doing things. For example for Splunk - CISO simply needs to be added to a AD group that is designated to have Splunk access, something like SOC-analysts group.
For pulling data from prod - this is often discussed. Data in production should not be pulled in lower environments (dev and test), because of segmentation, but you can absolutely operate with Prod data within prod environment, like by using approved production datalake or data warehouse or something.
Believe for every security decision that you think is stupid - there are many incidents that happened, and every rule and ban has happened because of these incodents/breaches/data corruption, etc.
It is like workplace safety instructions, they were written because of workplace injury, same for traffic laws.
Developers dont need local admin rights to develop software, plenty of devs at regulated industries work with user rights.
And statistics of developers falling victim of phish attack, credentials stealing that leads to major breach - there are plenty. The most recent Uber hack or Okta hack - were all tied to developer clicking on stupid stuff, opening executables from Internet and getting his a$$ owned.
You just gotta accept the fact that developers are not security specialists, most of them cant even create a software without introducing plenty of bugs and vulnerabilities. They mostly google stuff and copypaste from stackoverflow, install shady barely working packages and copypaste directly into production whatever code snippet they found on the first page of Google results. Thats why they need extra control from security specialists
We once had an idea about integrating libtorrent for distributing binaries. Turned out libtorrent website was banned by corporate firewall due to "piracy".
Decided the idea was not worth it to fight with infosec guys.
I would have taken that as my queue to start finding another job. Not that I can't puzzle everything out from scratch every single time I need to do anything, but why should I reinvent the wheel when off-the-shelf is both faster and higher quality?
These types of policies and mismanagement drives out the best talent and leaves the organization filled with coasters who love any excuse to not do their job.
(cue, as in "a signal (such as a word, phrase, or bit of stage business) to a performer to begin a specific speech or action", e.g. "That last line is your cue to exit the stage". See https://www.merriam-webster.com/dictionary/cue)
As recently as 2015 I was working at a customer site where the web proxies were so misconfigured that Google was effectively blocked. The main page would load about a third of the time after maybe ten or twenty seconds. This was a huge org with 15K users, including dozens of developers and hundreds of general IT staff.
Turns out that a one-checkbox-tick fix was all it took to make that go away. The woman in charge of the web proxies panicked, thinking that this change had "broken something", reverted the change, and then refused to change it back.
Well, that depends. You certainly want to ensure the availability of the information under your remit isn't compromised by a threat actor, but reducing your attack surface by, say, shutting down external internet access is certainly a valid mitigation in some circumstances.
I didn't know either, so I looked it up: The three initials stand for the three most important IT protection goals, often referred to as the "pillars of data security":
Confidentiality,
Integrity,
Availability.
There are other IT protection goals, including authenticity, privacy, reliability, and (non)repudiation.
There are a number of sites categorized as 'file sharing or download' that we can't get to, here. Ugh. Bad idea when your userbase runs on free software.
I’ve used javadocs plenty, and really like them, but they are organised by package and class, so figuring out how to do something when you don’t know what package to use is very painful. Say you want to know how to delete a file at a given path. I’ve been around the block a few times, so I’ll know that it’ll probably be an operation on java.nio.file.Path, so I can find the Java doc for that, hit “Uses”, and search for “remove” (nothing) and “delete” (ah-hah, there it is).
If you don’t have a starting point like that from prior experience or stackoverflow, you’re stuck clicking around the package lists, hoping to land on something useful
i am a junior developer and now i am rely heavily on them. esp, multi-threading stuff. but in most cases i know what i am looking for. the particular interface or at least i have some idea. this in true for most jdk framework. others java docs indirectly. ctrl + q.
but i do sometimes go back and search uses/example of some implementation i found via docs. eg. selector and channels...
but rn, i am liking reading docs first.
Javadoc I find is excellent, but its firmly in the "Reference"[0] quadrant of documentation. I find it very readable and useful when you know what you're looking for (finding subclasses of Collection, for example). However, Stack Overflow is excellent when you don't know where to start.
JavaDocs are like the owner's manual included in a car: useful for many things, but if you need to figure out what route to take to get from point A to point B it probably won't help you.
Dash (or its Windows equivalent, name escapes me) can be used to view and search these dumps (as well as dumps from GitHub, language docs, etc) offline: https://kapeli.com/dash