I'm wondering how everyone else manages security for their software development teams. I've been dealing with issues where our developers encounter random problems due to antivirus interference during their work. For instance, before we whitelisted a specific folder where they develop, the antivirus would sometimes remove essential build artifacts, particularly when compiling Rust projects. I made some adjustments by allowing them to work specifically in a whitelisted location.
However, after the recent npm security threats, I've grown concerned about our current approach, especially with the increasing reliance on `node_modules` and `.venv` folders in project directories. Thankfully, we haven't been hit yet, but I want to reconsider how we proceed. We're currently using BitDefender, but are planning a switch to Microsoft Defender during our transition to Intune, which might also impact our strategy. How have you all dealt with these types of security issues with your teams?
4 Answers
Consider setting up build containers or VMs. They can provide a secure environment for development and minimize risks from random software plucking things from memory. I used this method in the past, and it's pretty effective.
Relying solely on antivirus won't protect you from trojanized dependencies. A more effective approach is to curate your dependencies through an artifact store, where every version is reviewed before it gets added. This way, you ensure that only vetted software is being used, even though it might lead to using older versions during critical moments.
It seems like a centralized CI/CD setup could help a lot. Instead of letting developers work locally where they risk creating issues, consider automating builds in the CI and checking dependencies for updates or known vulnerabilities. Implement approval processes for merging, which can substantially decrease risks from supply chain attacks. The key phrase here is 'shift left' on security.
From my experience, you can never fully satisfy developers when imposing security protocols. I faced resistance when I rolled out EDR and removed local admin rights. Despite extensive prep meetings, when the changes finally kicked in, they reacted negatively. Even with offers of alternative setups like VM's or additional laptops, nothing seemed to please them.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures