|
|
|
|
|
|
by lelandbatey
368 days ago
|
|
|
It's not a straw man, I'm not trying to defuse liability. Of course a developer running malicious code they wrote is responsible for the outcomes. I am pointing out that if every unique binary never before run/approved is blocked, then no developer will be able to build and then run the software they are paid to write, since them developing it modifies said software into a new and never before seen sequence of bits. OP may not have meant to say that "it's good to have an absolute allowlist of executable signatures and block everything else", but that is how I interpreted the initial claim and I am merely pointing out that such a system would be more than inconvenient, it'd make the workflow of editing and then running software nearly impossible. |
|
|
This is often the case, although I’ve very rarely seen environments as restrictive as what you describe being enforced on developers.
Typically developer user accounts and assigned devices are in slightly less restrictive policy groupings, or are given access to some kind of remote build/test infrastructure.
Of course companies need the option to control what software is run on their infrastructure. There are an endless stream of reasons and examples for that. Up-thread there’s a great example of what happens when you let folks install Oracle software without guardrails. Businesses are of course larger and more complex than their developers and have needs beyond their developers.
What matters here is implementation and policy management. You want those to be balanced between audience needs and business needs.
It’s also worth mentioning that plenty of developers have no clue what they’re doing with computers outside their particular area of expertise.