Hello:
We have a scenario — and I won't go into great detail about because it would involve going into sensitive things for the company — where a dev downloaded source code to their personal laptop, the laptop was compromised (stolen password) and the source code was downloaded from the laptop during the breach.
During the post-mortem, we discussed putting controls in place to prevent downloading files to personal devices.
To which the response was they'll just download to their company device and upload to google drive.
To which the response was block google drive.
Well, they'll just find away around the allow lists…
… and then this spirals into a game of security whack a mole.
It looks like the company wants to take the codebase open source. That way, who cares if it is compromised.
My question for the group is does anyone have experience taking code open source?
What did it involve?
Lessons learned?
What did you have to do to the code to transition it from the company's private IP (protecting IP, secrets, proprietary stuff, etc.) to something the world can see?
Thanks!
p.s., really not looking for comments about performance management, additional controls (DLP, proxy, machine certs, etc.). I'm sure it's good stuff but not helpful with how I've framed the convo.
submitted by /u/corn_29
[link] [comments]
from Software Development – methodologies, techniques, and tools. Covering Agile, RUP, Waterfall + more! https://ift.tt/dIvhUci
Ameer Academy 