Matthew GarrettHot take: your desire to run your choice of OS on your work laptop does not trump my desire to ensure the safety of data belonging to our users
Making sure that code is developed on and managed from machines where we have reasonable confidence about the security posture is Good, Actually
keithp@mjg59 But, people in charge of security are never responsible for delays introduced by security leading to people routing around it to hit schedules.
Enforcing security with threats of dire consequences puts people in an unwinnable situation -- either get fired for security violations or get fired for failing to meet deliverables.
Enforcing security with threats of dire consequences puts people in an unwinnable situation -- either get fired for security violations or get fired for failing to meet deliverables.
@keithp yeah "Security says no" is a toxic (and common) scenario, and all restrictions need to exist for transparent and justifiable reasons, and shouldn't be imposed without discussion with everyone affected. But the flip side of that is that time taken to work with security in finding solutions needs to be factored into project planning - if company culture doesn't allow this, the culture is broken
@keithp (and I prefer solutions where it's simply impossible to do the insecure thing, so users don't have to worry about violating policies)