[slt2021]

I've been on both sides, was a developer and then security engineer, now back to dev work. I know there are quite a few very well talented engineers, but there are also quite a lot of mediocre developers, including interns, new grads, or startup folks who are used to cowboy style edits directly in production and no tests. You always want to plan your security controls for the weakest link, for the dumbest person, prepare for the worst case. This is how you have some assurance that your security will work regardless of who is sitting in front of keyboard: teenage intern or gray beard guru.

using your car analogy - car designers created steering wheel, blinkers, and mirrors to increase safety, but you insist that since you are power user - you want to be able to turn left/right by drifting using parking brake. This is obviously safety risk on public roads, and understandable how corporate fleet employer like Greyhound might not allow drifting when driving company bus with passengers.

You are free to drift on your personal equipment though, during non-work hours and without wearing company clothes.

Developers really dont need admin rights, Visual Studio and any other software is updated automatically these days using tools like SCCM. This is not an issue at all. If you need full control over OS - install free VirtualBox, or get a lab VM and do whatever you want inside that isolated VM, but not on the host machine. Because your machine is tied to AD, email, bunch of other corporate stuff - IT cannot risk giving admin rights, so that you can disable all necessary security protections.

Just because you are power user, doesn't mean your colleague in next cubicle is as smart and doesn't click on phish Linkedin emails.

PII is not an issue at all, because of security endpoint agents, network traffic inspection, data loss prevention, and network segmentation, and bunch of other security controls.

Just because you make over 6 figures doesnt make you any better than minimum wage IT support folks, they are following scripts and established procedures very well, most of them do their job well.

I agree that a lot of places have security theatre, because Security engineering is even rare skill than software engineering, it is much harder to find skilled seceng than SDE.

But things like SQL injection, shell command injection, url traversal, and zillion of other attacks - are made possible by software developers, and it becomes then SecEng's problem to protect company against whatever crap they coded and pushed to prod.

[Fredej]

> Because your machine is tied to AD, email, bunch of other corporate stuff

Most of the time, I genuinely wish it wasn't. There's so much I have access to, that I would never, ever need. And because I have that, I can't access things I actually need.

Just give me a iPad for all the corporate stuff and let me work on an open PC.

[P5fRxh5kUvp2th]

None of the things you're describing are protected by removing local admin rights. That's the point.

First you compare the risk of losing limbs to having admin rights, now it's drifting on public streets is like wanting to install python.

You can't find anything reasonable because there isn't any.

[rtev]

I’ve personally abused unauthorized developer python installs for privilege escalation > 3 times while red teaming.

Consider the possibility that you may be wrong.

[slt2021]

You havent provided a single valid reason why developer needs admin privilege.

[P5fRxh5kUvp2th]

Should I quote myself a 3rd time with the analogy pointing out that just because you can get somewhere using only right turns doesn't mean that's how you should do it?