Does your workplace limit tools/IDEs/open source software you can use?
Posted by inter_fectum@reddit | ExperiencedDevs | View on Reddit | 57 comments
I was told at work today my team can't use open source software, including editors unless it is approved through some process that takes months and dozens of hours of meetings.
This is my first time in a larger enterprise and I am flabbergasted. I can't use vim because it isn't an approved editor? that is crazy!
Is this common in enterprise/fortune 100 enterprises?
QuitTypical3210@reddit
Yes. Nothing from russia
Crusty-Booger@reddit
That's normal for the majority of companies, regardless of size or sector
AHappySnowman@reddit
My experience around smalls companies is that most don’t give a shit about open source licensing and will use whatever is available.
halting_problems@reddit
I’m an appsec engineer and am responsible for doing A LOT of reviews.
It’s normal, and is only going to become more normalized. It doesn’t take us a month to review anything though but we are not highly regulated.
What you are going to start seeing at least form the development side is more companies using private registries and pinning dependencies.
software supply chain attacks are probably the worst the world has ever seen right now. The issue is now malware is getting into build systems and on dev machines much easier and faster then ever before. Once that package with malware is downloaded or loaded into memory it’s too late. You just have cross you fingers and hope something stopped it from being effective.
Security Teams don’t have room to make mistakes, or very little, so they are making sure packages meet compliance standards, are mature projects, how have they handled security incidents in the past, how many active contributors there are, etc.
Things like vim though that are native to linux ?i think, never used a distro that hasn’t had it) is kinda of wild to me that it wouldn’t be approved.
Now if you’re talking neovim that’s another story. That’s a whole other ecosystem of packages that has to be monitored and since its very niche no entperise tooling will handle it.
Honestly a year ago I probably wouldn’t have cared, but now since the supply chain compromises are popping orgs left and right I’d probably deny if I couldn’t audit and inventory every package. Shits for real getting wild and it’s just getting started
Gashlift@reddit
I mean yeah? It’s a huge security risk
ElGuaco@reddit
HOLY SHIT The fact that this is the most upvoted response makes me believe that NONE OF YOU are experienced devs.
Open Source does not mean open to change by anyone, which is what I think most of you are confusing. Additionally, open source means anyone can read the code, compile it, and ensure that there is no secret terrible bad code hiding in there. Fear the closed library that you cannot verify. Paying for code does not make it inherently secure. The entire open source movement was founded on the idea of transparency.
The entire .NET platform is open source including its languages, compilers and runtime. Even the most popular free editor VS Code is open source. Python is open source. Most of Java is open source. Linux is entirely open source. Firefox is open source. VLC media player is open source. Fucking Git is open source. I'll bet all of you are using some kind of open source tools or you're not actually a developer.
What is a huge security risk are abandoned libraries, closed libraries, and libraries without fixes for known bugs. I've conducted months-long audits on complete Enterprise systems and I was more worried about the actual unaddressed security vulnerabilities than anything else. Open source only came up when they didn't have a compatible license., such as MIT or Apache.
Anyone working at a place where open source is suddenly bad probably has some clueless executive who read some stupid article somewhere about the dangers of open source and made a knee jerk reaction. It's uniformed and braindead.
I have worked in high security enterprise systems for PCI compliance. Each new library introduced into our code base had to be approved by at least two team leads or managers. It was a sensible approach that reduced risk, but just as importantly it prevented library bloat from people adding too many libraries that were already covered or should have been done by the lazy ass developer.
nrith@reddit
LOL, then I guess I’m not an experienced dev because I don’t feel like having this argument with the megacorporation I work for.
ElGuaco@reddit
What platform are you working on where nothing is open source?
Distinct_Bad_6276@reddit
Huge difference between “all open source is forbidden” and “wild west, anything goes if it’s OSS”. Almost nowhere is the former, and every sane company is the latter.
LordFlippy@reddit
They're not saying open source is inherently bad man, they're just saying that their org needs to screen a new library before using it, because as you mentioned it takes effort to clear a package's code of vulnerabilities and make sure it'll have enough support to not get immediately abandoned. In large orgs this can take a long time and goes through multiple departments, so the juice isn't usually worth the squeeze.
Head-Bureaucrat@reddit
Seconding this. It's very easy for someone who's new to developing in an enterprise environment to just grab a package because that's what SO/GPT said, but the license is wrong, it is abandoned, or etc.
These approvals typically aren't for the experienced dev, they're for the new ones, and enterprises (in my experience,) typically just make one rule like that for everyone.
worst_protagonist@reddit
You think it is a huge security risk to not go through a months long approval process for ALL software?
Wide-Pop6050@reddit
It’s not unheard of. Usually strict in finance, healthcare, government
just_true_do@reddit
this is painfully common. my current place blocks npm installs but somehow allows random chrome extensions
susmines@reddit
Depends on the sector. Healthcare/Finance? Wouldn’t be surprising
grappleshot@reddit
It does limit. I work in healthcare, with PHI/PII, and our SecOps team is very particular about which nuget and npm packages we use in our solutions.
doradus_novae@reddit
Finance: yes we do
kevinsyel@reddit
Healthcare: yes we do
doradus_novae@reddit
Finance: Yes we do
carenrose@reddit
I mean, we're only allowed to install approved software. Doesn't matter if it's open source or closed source. That's the main limit right there, and also I think incredibly normal.
But we can use whatever software is approved, and that would include vim if it were just automatically included on OS install. (But unfortunately we're a Windows/Microsoft shop so ...)
GoodishCoder@reddit
Limitations on tools has been pretty standard everywhere I have worked
afty698@reddit
I’ve seen it both ways. At one large FAANG there was an approval process, but most of the software you’d want to use had already been approved, including vim. Have also seen places where you can install whatever you want.
Open source software, there’s a difference between just using it and adding a dependency to a codebase. If you add a dependency to a codebase you have to make sure the license is compatible, you’re doing what’s required with acknowledgements, etc.
maxakusu@reddit
Yeah. We have a tool that literally flags dependencies for risky licenses. Some of the licenses out there have stipulations for example that using their open source dependency essentially means your tool has to be open source. Obviously, most companies don't want that.
jax024@reddit
To a point, but if someone makes like a case for something, we hear them out
Working_Noise_1782@reddit
Lol my company gave me a laptop with Ubuntu on it as a daily driver.
Politex99@reddit
We have a list of Approved Softwares that we can use. It's quite large and it has all the common tools that you would need and then some.
After that we do need to request on case by case basis but in my 3 years i have never had to ask for it. Every time I needed to use a new tool, it was already present in the list.
Bach4Ants@reddit
When I worked at a major auto manufacturer, yes, I was similarly surprised. I ended up leaving for a startup because the tooling felt very limiting and I was spending too much effort on hacking, workarounds, and PowerPoints for leadership.
Goingone@reddit
Yes, every vendor/external piece of software needs to be approved.
doradus_novae@reddit
Welcome to my personal hell
SeparateDark251@reddit
Mostly. We have an official app portal where we can download approved software. We have to request licenses for JetBrains Rider. I specifically requested DataGrip, too. Most other devs use DBeaver, which we download directly.
We all use VSCode, but something blocks updates on the VSCode downloaded from Microsoft. But when we install through the app portal, updates work just fine.
Megamygdala@reddit
In a F500 company and yeah, though they give developers admin rights so I've installed a lot of open source trusted software to try out that I probably would never install on my personal PC
revrenlove@reddit
I've experienced not being allowed to use open source nuget packages in a highly regulated environment. Not common, but does happen.
Bricktop72@reddit
If they have that much process in place they should have approved IDEs for you to use.
Xacius@reddit
I'm in fortune 100 and I wouldn't say it's common. There are specific technologies that we can't use due to license overlap with some of what we do (ffmpeg being the big one), but we can still use ffmpeg internally. We just can't distribute anything with it. Makes electron apps a bit of a pain because it's bundled with chromium, but not a huge deal.
I can use almost any software I want though. They pay for a bunch of stuff too. I've got the entire Adobe suite, for example.
Sounds like you have either a really shitty legal team or management team.
TimelessTrance@reddit
Ffmpeg is licensing pain, but I have shipped products with it.
waterkip@reddit
Whats the license, whats the pain? I use ffmpeg never shipped something with it tho.
TimelessTrance@reddit
It’s a bit fuzzy, but I believe that by default it ships with LGPL licensing basically forcing you to open source your software. There is a GPL licensed version that does not, but lacks critical functionality.
waterkip@reddit
LGPL allows use in non (L)GPL software. It is made for it, it means you can compile against it no harm no foul. Once you start modifying the source you are on the (L)GPL hook.
But I think I understand the premise based on the followup. Plugin may or may not be GPL and when using a GPL plugin you must also GPL your software.
recycled_ideas@reddit
You've got GPL and LGPL backwards and it's not critical functionality it's certain codecs that are not LGPL licensed and so can't be used with the LGPL version. Those may or may not be critical to you.
sanityjanity@reddit
Government teams often have limitations, but they also have a process for open source tools
diablo1128@reddit
I worked on safety critical medical devices, think dialysis machines, for 15 years.
In terms of tools/IDEs we could use whatever we wanted if it was free. If you wanted the company to buy something you had to go through the proper channels for approval.
In terms of open source software it depends. If it's a library that is going in to the product then there is process that needs to happen to make sure the company will comply with the license and so forth. Many times if there was something similar previously approved you would be steered towards that unless you can make a case why you had to use the one you want to use.
If the open source software was a tool running on your computer then nobody really cared. You just had to be smart about what you were using. I'm sure if everybody was downloading tools riddled with malware that infected the company then people would crack down on it, but it never happened to my knowledge.
Southern-Reveal5111@reddit
I work in a healthcare company. We can’t use whatever software we want, but most well known softwares are already whitelisted. If it needs a license, it has to be approved. Unless it is an expensive software, it is always approved.
However, if it needs to be shipped to the customer, then it has to go through the regulatory approval process. And it is almost always denied. Sometimes it is too much effort to do the documentation, and sometimes it is not shipped because of political reasons.
jeffbell@reddit
I would ask to see what’s on the approved list already.
If the list is long you might have what you need.
If the list is very short it might mean that getting things approved is impossible.
talldean@reddit
It is very common everywhere. Google, Meta, and I'd also say banking and healthcare.
For some (Meta) it's easier to get approved, for Google it's possible to get approved, the process is built to be fast. For banking and healthcare, the process is built to make you abandon all hope, near as I could ever tell.
RubyKong@reddit
How would anyone know (or care) what you use?
So long as the objective is met, does it matter whether you use Vim or VS Code or whatever.
RelevantJackWhite@reddit
the software we release is regulated. the software we use to make it is largely not
arnitkun@reddit
Approvals? Yes. Months? No.
There are industries/companies where you HAVE to use only what is allowed, but if the org has been around for a while chances are people with preferences like yours passed through it.
It is a point of friction, but nothing that should stop you from closing tickets. Assuming you are having trouble doing that, highlight to your manager ASAP, so that it doesn't fall on you.
Unless you are specifically asked to go around the guard rails, don't.
No-Economics-8239@reddit
Absolutely. It's amazing how normalized the process has become. Big enterprise was actively hostile to open source or any technology that wasn't backed up a big corporation that could offer some degree of liability shield for a long. To say nothing of Microsoft's FUD campaign that was a pain for far too long. That most deploys are on a Linux distro today marks a massive shift in the industry compared to what it used to look like.
You don't want hot shots devs just bringing in random bits of technology they find shiny and interesting. Is that technology being vetted by enough eye balls to root out the more obvious problems? Will it continue to be supported? How big of a labor pool exists who can understand and maintain it?
The bigger the company, the more oversight tends to exist to vet incoming ideas to make there there aren't any obvious critical challenges to adding it to the approved list and then the continuing audit process to make sure there are no severe vulnerabilities or problems that might appear later.
Today, that approval process tends to be a lot more streamlined than it used to be. And it can now merely be a matter of hours or days to get approval. In the Before Times getting approval for a second monitor or to pay for a non-approved IDE could be a massive political challenge.
Count your lucky stars at all the work done by the old-timers to put this cornucopia of tools and software and languages at your disposal. And consider the difference between those companies who don't have any vetting process and you find some project in a language you've never heard of that only compiles in an IDE that runs only runs on a Windows 98 virtual machine or some even older or more obscure OS.
OblongAndKneeless@reddit
Vim? Like from 1970? Your company needs an ass whipping.
Orrison@reddit
Mine does. It depends on your industry/sector. We are in higher education with full SOC 2 compliance, multiple ISO certs, and HIPAA.
Being able to have those types of accreditations requires audits that need software and processes pre-approved and monitored.
F0tNMC@reddit
It's not common, but not that unusual, especially for tools which may connect to non-local resources as a matter of course. Many places I've worked have had application whitelists with a kind of a side-eye view of people who bring their own tools.
That said, local only apps shouldn't be hard to get approved. I too am practically an invalid if I don't have Vim bindings in my editor. I've pretty much taken the "ask for forgiveness not permission" approach for using innocuous tools like MacVim and homebrew apps like jq etc. There's a strong justification for their use and very limited risk.
allknowinguser@reddit
I find it really hard to find a tool that isn’t approved related to coding. Although our review process is much faster
TheGRS@reddit
I do think orgs should crack down on this stuff more. Pulling in random NPM tools and libraries is probably not great.
They should let you use vim, not a big deal to get it through an approved tool chain either IMO, it’s ancient.
PoopyLoopyFloopyDoop@reddit
Yes.
It's basic CISO stuff. It sucks that it takes your org months to make these determinations. But no org that legitimately cares about information security is going to just allow any software to run on their hardware, let alone be used to author the software they create/sell.
If you're in banking, aerospace, insurance or healthcare then it's also likely that regulation simply prevents the free use of unverified/unexamined open source tooling in the sdlc at all.
A good Info. Sec. org will create processes (largely automated) that make this as frictionless as possible to prevent engineers from finding shady (and even less secure) ways to get the tools they want on their machines.
apnorton@reddit
When I worked at a large company, that was certainly the rule, but there was also a list of already-approved software and libraries that was thousands of items long. Unless you were doing something really niche, usually someone had already requested whatever you wanted.
AManHere@reddit
that's pretty crazy. vim ships with many POSIX systems.
frogic@reddit
Not that specifically but its a thing and you'll learn to laugh at it. Its possible I'm not allowed to use vim but I also don't allow myself to use vim.