[ferguess_k]

Can relate. A lot of the times it is the process that is slowing people down, and it is unrealistic for any corporation to do security audition for everything developers need on time, so unfortunately rules have to be bent.

Some big corps resort to a different tactics: they ONLY allow in-house tools. IDEs, communication tools, everything you need on a daily basis, they make in-house tools for that. It costs a lot of money but they care about security.

[tracker1]

Worse, is when the "team" doing the auditing is one guy, and that guy leaves with no replacement... and you need to explain to mgt that their new product release hasn't gone out for 3 months because you can't get the new versions of modules cleared and into the internal repo for production apps.

Actually happened at one of the largest banks in the world when I was contracting there. And that was mostly just a license/legal audit, not even a full source/security audit.