I think you probably don’t realise you hate standards and certifications. No IT person wants yet another system generating more calls and complexity. but here is iso, or a cyber insurance policy, or NIST, or acsc asking minimums with checklists and a cyber review answering them with controls.
Crazy that there’s so little understanding about why it’s there, that you just think it’s the “IT guy” wanting those.
I worked in software certification under Common Criteria, and while I do know that it creates a lot of work, there were cases where security has been improved measurably - in the hardware department, it even happened that a developer / manufacturer had a breach that affected almost the whole company really badly (design files etc stolen by a probably state sponsored attacker), but not the CC certified part because the attackers used a vector of attack that was caught there and rectified.
It seemingly was not fixed everywhere for whatever reason… but it’s not that CC certification is just some academic exercise that gives you nothing but a lot of work.
Is it the right approach for every product? Probably not because of the huge overhead power certified version. But for important pillars of a security model, it makes sense in my opinion.
Though it needs to be said that the scheme under which I certified is very thorough and strict, so YMMV.
So you don’t trust me, but you trust McAfee to give it full control over the system. Yet my software doesn’t work because something is blocked and nothing is showing up in the logs. But when we take off Mafee, it works. So clearly McAfee is not logging everything. And you trust Mcafee but not me? /s kinda.
No one on earth trusts McAfee, be it the abysmal man or abysmal AV suite.
If the EDR or AV software is causing issues with your code running, it’s possibly an issue with the suite, but it’s more likely an issue with your code not following common sense security requirements like code signing.
Still, that was just one example. EDR reacting to your code is likely a sign of some other shortcut being taken during the development process. It might even be a reasonable one, but if so it needs to be discussed and accounted for with the IT security team.
I think you probably don’t realise you hate standards and certifications. No IT person wants yet another system generating more calls and complexity. but here is iso, or a cyber insurance policy, or NIST, or acsc asking minimums with checklists and a cyber review answering them with controls.
Crazy that there’s so little understanding about why it’s there, that you just think it’s the “IT guy” wanting those.
I worked in software certification under Common Criteria, and while I do know that it creates a lot of work, there were cases where security has been improved measurably - in the hardware department, it even happened that a developer / manufacturer had a breach that affected almost the whole company really badly (design files etc stolen by a probably state sponsored attacker), but not the CC certified part because the attackers used a vector of attack that was caught there and rectified.
It seemingly was not fixed everywhere for whatever reason… but it’s not that CC certification is just some academic exercise that gives you nothing but a lot of work.
Is it the right approach for every product? Probably not because of the huge overhead power certified version. But for important pillars of a security model, it makes sense in my opinion.
Though it needs to be said that the scheme under which I certified is very thorough and strict, so YMMV.
I thought my comment was pretty clear that some rules are justified and that the IT person can just be the bearer of bad news.
Maybe not, hopefully this comment clarifies.
So you don’t trust me, but you trust McAfee to give it full control over the system. Yet my software doesn’t work because something is blocked and nothing is showing up in the logs. But when we take off Mafee, it works. So clearly McAfee is not logging everything. And you trust Mcafee but not me? /s kinda.
No one on earth trusts McAfee, be it the abysmal man or abysmal AV suite.
If the EDR or AV software is causing issues with your code running, it’s possibly an issue with the suite, but it’s more likely an issue with your code not following common sense security requirements like code signing.
you don’t code sign during development…
It’s not common, but it should be.
Still, that was just one example. EDR reacting to your code is likely a sign of some other shortcut being taken during the development process. It might even be a reasonable one, but if so it needs to be discussed and accounted for with the IT security team.