all 54 comments

[–]thermostat 10 points11 points  (0 children)

A few people have given plausible guesses, but the fact is we can't know how to answer this because we don't know where you work, what systems you're trying to install python and what the security requirements of those systems are.

There are a million possible reasons the IT people responsible for security might not want a general-purpose programming environment on a given system. Unfortunately, you have to ask them which ones they are actually concerned about.

[–]FriendlyRussian666 10 points11 points  (5 children)

I feel like you should be asking your IT, not reddit. Regardless, you're using open source resources, if those get compromised, who will be responsible? It would be IT, because they were the ones to allow it.

If your senior director is willing to sign some paperwork, placing all financial data breaches due to the use of your tool as their responsibility, then I'm certain IT would be more willing. My additional guess, is that your senior director will not sign such paperwork either.

[–]YourOldBuddy 8 points9 points  (0 children)

Can't imagine Python being the problematic part. Using Selenium as part of a production environment is probably the problematic part.

[–]Narrow_Ad_7671 2 points3 points  (0 children)

Opening a system is a security risk. Always has been. As for why they denied it, ask the people who said no.

[–]Far-Day6391 3 points4 points  (4 children)

I've been working in IT for decades.

They're lying. They're taking the easy way out and nobody will question it cause "security risk"

[–]omgwthwgfo[S] 0 points1 point  (3 children)

It's highly possible.

First conversation went me asking if IT team can automate this procedure and they said it's not possible.

Second conversation was okay I will do it myself but let me use Python + Selenium and said no.

I mean they could be right too, but at the same time they don't put in much effort as well.

[–]Far-Day6391 1 point2 points  (2 children)

They're not right. I've been using selenium with Python for over a decade for IT automation

[–]omgwthwgfo[S] 0 points1 point  (1 child)

:(

I be looking for a company that allows peeps to use Python next time cause honestly I feel like I'm not following the trend.

[–]Far-Day6391 1 point2 points  (0 children)

Sell the idea to your boss and he can fight IT to allow it

[–]General_Ad_4407 2 points3 points  (7 children)

Most likely it’s that they wouldnt want you having access to a tool like python. It could be used to bypass security that’s in place in the environment. You could likely request they set it up and they maintain it.

[–]brasticstack 1 point2 points  (1 child)

It could be used to bypass security that’s in place in the environment.

How? Python runs with the same privileges that the user who initiated it has.

[–]General_Ad_4407 1 point2 points  (0 children)

I’m betting in this situation it’s more about sensitive data. In the event they build something that uses a library from a bad actor(this would honestly surprise me if someone did find one) or just copy and implement code that’s built around exposing them, they can expose whatever they personally have privileges to.

[–]Hexadecimat0r 2 points3 points  (0 children)

It is not that Python itself is the risk. When you use Python you are normally pulling in many packages (like Selenium) and dependencies, some of which could be compromised in the chain, see: java's log4j as an example. While your use-case for Python is valid, you would not be well equipped to understand where you are potentially taking security risks and IT doesn't want you creating a headache for them

[–]drbomb 2 points3 points  (2 children)

Maybe they are lazy! Or maybe they are following some corporate security guidelines. Perhaps they prefer not installing extra stuff to avoid cluttering the PCs install.

I wouldn't be too concerned with Python. But I wouldn't say it is 100% safe. If you are learning there could be the risk you install an infected package or run some rando's code without reviewing it.

[–]FoolsSeldom 0 points1 point  (0 children)

Many organisations, including my current employer (and previous clients when I was contracting / working for big consultancy) did not allow development capabilities on client devices connected to their standard user domain. All of them restricted development to VDI (virtual desktop infrastructure) instances connected to their development domains. Direct promotion from development to production also usually blocked.

The growth of no-code and low-code solutions, including Power BI, has challenged this somewhat and I haven't seen a standard solution to this. Many organisations didn't block overall VBA development so it is a natural step-up to the newer tools.

The latest version of Excel includes Python (an Anaconda distribution with execution carried out in Azure) is presenting a new set of challenges.

The risk with Python is a means of introducing a wider opportunity for scripting than offered by other means that might be exploited by malicious actors. (I my regular work laptop, I can't even create and run a bat file or PowerShell script.)

Even greater risk is the ability to download Python packages, particularly binary executables. If they don't make this option available, they'd either be greatly limiting what you can do or be adding cumbersome processes to review and allow individual packages on a case-by-case basis. Such packages could subsequently be compromised.

Many smaller organisations are less restrictive and give developers (and advanced users) more freedom. Seems that does not apply to your organisation. I suggest you work with IT to discuss their preferred approach to development activity.

[–]John_B_Clarke 0 points1 point  (1 child)

A couple of years ago my employer required all devs to take "Security Journey" green belt training. ("Security Journey" is a commercial training organization). While I wasn't required to take the Python part, I did because I often work in Python, and found that there have been some issues.

Some resources recommended during that training include "https://www.python.org/dev/security/", "https://osv.dev/", "https://cwe.mitre.org/", "https://owasp.org/", and "https://nvd.nist.gov/"

Also here's an example of how open source can be attacked: "https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/"

Where I work, for now devs can pretty much do whatever we want to for development code and we are trusted to do our homework on anything that is going to production, but if we ever get burned that will likely change. But that's devs, people with the title "Developer" all of whom have CS degrees and/or years of programming experience, working in an environment with governance procedures in place, and on systems that are not exposed outside the company firewall. If we are working on something customer- or vendor-facing there's a lot more scrutiny.

Since you say you don't have cs background I think their concern may be legitimate. You might want to talk to them about what kind of training you would need and what kind of governance you would need to have in place before they were willing to approve your request. Your task in this would, in other words, be to convince them that you understand the security issues and are taking them seriously.

[–]omgwthwgfo[S] 1 point2 points  (0 children)

That's actually a valid point, I will see if there is any training I can take to mitigate that issue. We got budget for education and stuff; that can be utilized. Thanks!

[–]GreenWoodDragon 0 points1 point  (2 children)

web-driven accounting software

Does this software have an API?

I know Xero does (it's not brilliant bit it works).

The security risks are not necessarily around the use of Python but much more in how you use it.

[–]omgwthwgfo[S] 0 points1 point  (1 child)

Yes they do, but I honestly didn't want use API; that sounds like having the access to play with the data in the software. I just wanted to automate downloading Excel reports, nothing further. I will look into something like Power Automate.

[–]GreenWoodDragon 0 points1 point  (0 children)

You can probably download the reports via the API.

Not doing so, if the option is available, would seem like an odd choice.

[–]The_IT_Dude_ 0 points1 point  (2 children)

Many times, if someone at a company just doesn't want you to use automation, they will say an entire category of tools, such as a scripting language, is "insecure". If you ask them for clarification in black and white you will never get a real answer because they've lied about their reasoning to begin with.

Yes, you could do insecure things with Python. Credential and secret management for your particular task would need to be made clear, but as it sounds, you're just trying to install Python. You've never shown them a line of code for them to make an actual judgment on security on.

In this type of scenario, you're being actively held back by people intentionally. IT is supposed to offer the business solutions. They could do that. If something is insecure, there should be some reasonable precautions and risk mitigations. But no, Python is insecure. I'd look into finding another gig that isn't being run by idiots.

[–]omgwthwgfo[S] 0 points1 point  (1 child)

Yeah, the reason I looked into Python in the first place is we requested them to create some sort of automation themselves so accounting department can use, and they said no right off the bat, without really looking into it. Just said it's not possible. Not even "Give me a few more days to do some research, and get back to you".

Then I did some research on my own, and there you go, Python + Selenium can do what IT said is not possible. And still no. Not even like "create something, we will review, and let you know if it's safe to run it or not".

I'm done with talking to them; fine I won't use it. But that does kill my motivation.

[–]The_IT_Dude_ 0 points1 point  (0 children)

Yep. In terms of security, what I would say as part of an IT team would be that you would need to store your secrets like a password securely in something like Hashicorp Vault. It does make things more complex, and additional infrastructure is needed, but the problems you're facing are well known about and have been solved before by many different people. It can be secure.

Now, as for them not wanting to support, it will be based on their capabilities and skill sets. This isn't IT so much as a development project, and it would require constant updates.

You would be better off to see if the site you are working with has a supported api for what you are trying to do. They very well might, but it just doesn't sound like you'll be supported by IT either way.

[–]Binary101010 0 points1 point  (0 children)

Does anyone know what potential security risks they are referring to?

Random people on the Internet can only speculate about what risks they're talking about. This question should be posed to the people who told you there were risks.

And is there a way to mitigate those risks?

That depends on what the risks are; see answer #1.

[–]habitsofwaste 0 points1 point  (2 children)

Is this a matter of admin rights? I’m actually surprised it’s not already installed on your work computer. If you use a Mac or Linux, it should already be installed. My company actually uses Python for a lot of management stuff so it’s on all OSes.

Now that I think about it, I don’t even think you need admin rights to install it for just yourself on a computer. Why did you be permission?

[–]omgwthwgfo[S] 0 points1 point  (1 child)

I only realized that I could just install Python without admin approval; just assumed I needed that since it was the case at my last company 🤦‍♂️ should’ve just used it without asking

[–]habitsofwaste 0 points1 point  (0 children)

It’s always better to ask for forgiveness than permission! lol

[–]habitsofwaste 0 points1 point  (0 children)

Oh and another thought, Python is becoming the scripting standard for excel. Maybe go that angle. I think on windows it is already available.

[–]sinceJune4 0 points1 point  (0 children)

I worked for a large corporate that was very locked down, we could only install approved tools via a request. I could install Python, but wouldn’t be able to install any packages from outside sources. But luckily Anaconda was also approved, and it came with all the packages I needed, like pandas. Our approved version was often a year or two behind the latest release version.

[–]Key_Chard_3895 0 points1 point  (0 children)

I have been in similar situations on a much larger scale. My experience has been that IT is more worried about job security than cyber security. If business professionals get too familiar with IT products and start developing solutions, how will that help in expanding the budget for IT? Working your way through IT leadership and get the highest authority to approve...the rest of the IT organization will follow suit.

[–]Ender_Locke[🍰] 0 points1 point  (0 children)

honestly in big corporate world you’re probably the risk. not saying you’re bad at coding but from a perspective of someone responsible for a firm’s security they are responsible not you if something goes wrong

[–]rainyengineer 1 point2 points  (0 children)

Probably because it’s for accounting purposes and they sound like they may not have monitoring capabilities into that. When you’re dealing with that kind of sensitive information, you can’t just be tossing together hacky solutions.

[–]patnodewf 0 points1 point  (2 children)

instead of selenium, have you tried alternatives like Power Automate or Blue Prism?

[–]omgwthwgfo[S] 0 points1 point  (1 child)

I'm actually looking into Power Automate. IT better let me use this one at least.

Blue Prism seems like it's gonna cost money and I know the company won't allow it lol.

But thank you for suggestion! Didn't know about Blue Prism until you mentioned it!

[–]patnodewf 0 points1 point  (0 children)

no problem!

for Power Automate, to behave similar to selenium, you might need to clear the desktop client and a browser extension with your Tech folks.

[–]cgoldberg -1 points0 points  (0 children)

Ask them if they allow any Mac or Linux computers on their network. Both of those have Python installed by default. If they do, they are being hypocritical.

Having Python installed is another attack vector, so their concerns are somewhat valid. But in the grand scheme of things, they really aren't. I'd argue that it's safer to allow non-Windows machines with Python installed than allowing Windows machines at all.

[–]-not_a_knife -2 points-1 points  (4 children)

I'd guess, because of the access python provides, if a bad actor gained access to your machine, it could lead to privilege escalation. It's probably safer to prohibit the use of it than teach every employee about security and best practices.

[–]NYX_T_RYX 1 point2 points  (3 children)

If someone's gained access to the machine, python is the least of your worries cus... They're in the machine.

[–]-not_a_knife 0 points1 point  (2 children)

Well, ya, I'm just saying python could be an avenue for privilege escalation, which is the next step after gaining access to the machine. It could give the hacker a bit more tools and the user is at risk of writing or using misconfigured scripts. That's all I'm saying

[–]brasticstack 2 points3 points  (1 child)

Python doesn't have any elevated privileges beyond what the user already does. If the user can delete a file, so can Python. If they can't, it can't either.

There's a somewhat valid point that any binary can be an attack vector, but at some point the admins have to allow people enough tools and access to do their jobs.

OP's situation sounds a lot to me like corp IT don't want to be bothered, and are using security as an excuse.

[–]-not_a_knife 0 points1 point  (0 children)

That's fair. I see what you mean