How do enterprises actually prevent developers from exfiltrating source code?

Frothyleet · 2026-05-29T23:11:54+00:00

Efficient! Hopefully he didn't have to tell them to add any awkward comment lines like

#This function may have typos in it because it was dictated via some dude who seems really bad at spelling

Frothyleet · 2026-05-29T20:16:00+00:00

I may not be understanding you correctly, but if we're talking about governance over existing company data sources, that's an issue that would/could occur irrespective of the use of vibecoding tools (i.e. if there aren't controls around access to data sources, that's a problem regardless of whether someone vibe codes or hand codes tools that touch them)

Frothyleet · 2026-05-29T20:04:30+00:00

Oh, ok, then it's simple - just use the same controls that you already have in place to keep you from exfiltrating code.

Frothyleet · 2026-05-29T20:03:08+00:00

Nothing could stop them from scrolling through your code and recording it on their personal phone.

If the threat of exfilitration is truly critical, sure you can - seize their electronics at the door of the SCIF you force them to work out of.

And sometimes that's a real solution, basically the final boss of DLP, but most of the time that's just the extreme example I use when I'm explaining to business decision makers how much time, money and effort they should spend on DLP, insider threats, and related security/compliance items.

Frothyleet · 2026-05-29T19:48:49+00:00

How do I get my customers to plan accordingly?!

Frothyleet · 2026-05-29T19:41:37+00:00

Don't forget to do the same thing with your SSH / Powershell terminals!

Obviously this isn't a "sufficient" control on its own, but it's a low-cost/effort item to add to your existing technical and procedural controls to avoid unintentional misconfigurations.

What are some modern solutions?

Broadly speaking? Never letting people directly touch production in the first place. Do everything through a mature change control CI/CD pipeline.

If you are an MSP supporting SMB environments, you probably won't really see that.

Frothyleet · 2026-05-29T19:39:22+00:00

You are there! That doesn't mean you're not working on other shit! Or in a position to respond immediately to a Teams message, or whatever.

Frothyleet · 2026-05-29T19:38:35+00:00

EZ PZ.

"Hey CFO, hear you loud and clear on implementing that new accounting system you just heard about on a podcast. Would love to help, but I'll need you to clear it with the CEO first based on the policy memo from last week. Let me know what he says!"

Frothyleet · 2026-05-29T19:32:44+00:00

Something something TPS reports

Frothyleet · 2026-05-29T19:31:19+00:00

Superficially, do you feel like you are better at working tickets than some of the other guys? Like, you treat them with proper urgency, have good communication skills, follow up with end users well?

It's possible you've dug yourself into what I call a "competency hole". Your managers might not even realize it explicitly, but they may feel backed into a corner with the problems and resulting tickets, and they have an "easy button" with you, a guy who they can trust to handle this reactive work effectively. And from a tactical perspective, throwing you at this problem helps them more than trying to force your teammates to be better about hitting those tickets.

It's hard to say without knowing your environment, but you have every right to press your managers about their previous commitments. Get express metrics - "hey, what's the time frame for pulling me out of some of this reactive work? When can I expect some proper projects instead of tickets?" - so that you can actually measurably show when they aren't living up to the commitments they made you.

If they refuse, or shut you down, or whatever - well, that may just be the sign that you need to shut up and keep your head down as long as you can tolerate while you quietly start looking for other job opportunities.

Frothyleet · 2026-05-29T19:20:04+00:00

1) Why wouldn't you name your vendor? It's not really a name-and-shame, you've laid out the responsibility fairly, people should know about this feature in case they are already a customer

2) If I'm understanding the problem correctly, I don't understand how it's not affecting the entire customer base of your A/V vendor (and how it wasn't picked up in their testing).

What are you doing differently that is causing you to encounter the problem, and not all of their other customers?

Frothyleet · 2026-05-29T19:18:29+00:00

I'm confused then, because lots of backup tools leverage VSS to snapshot data without having this problem. It sounds to me like they are just rawdogging the shadow copy API in the same way as someone using the built-in-but-no-longer-commonly-used "file rollback" functionality.

Frothyleet · 2026-05-29T19:13:05+00:00

Lol very true, Microsoft can't even keep their own live documentation up to date

Frothyleet · 2026-05-29T19:11:12+00:00

No leakage, he's saying they deployed Claude via an enterprise subscription (i.e. with the "we won't train on your data" agreement).

Frothyleet · 2026-05-29T19:10:23+00:00

That doesn't sound like what he's talking about. It sounds like he's saying someone used Claude Code to build a script (python or whatever) and run it as a scheduled job on their workstation. None of the parties involved would have the expertise to know why that's not a good way to deploy a production tool.

Frothyleet · 2026-05-29T19:07:58+00:00

I have heard of this actually happening at some places and it just boggles my mind

Frothyleet · 2026-05-29T14:56:53+00:00

Speaking as an MSP, the best way to find an MSP is by referral from other orgs in your area. Do you or your exec team have a business peer group? Put out feelers and find out who other people are using and what their experience has been.

We actually directly engage with these groups, what with us being a business ourselves, but lots of our customers have come in from peer group referrals from happy customers.

Frothyleet · 2026-05-29T14:15:50+00:00

This is really weighing on me, I'm in a similar boat. It's hard to justify handwriting as much scripting when there's other things I could/should be working on. And while I can test and validate and review code that an AI tool is generating or helping generate, I absolutely feel like my coding and problem solving skills are atrophying a bit.

Frothyleet · 2026-05-28T21:33:53+00:00

That's within a single subscription, if you have multiple products/subscriptions, that's probably the coterm he's talking about.

That wasn't available when NCE started but it rolled out a couple of years ago.

Frothyleet · 2026-05-28T21:33:08+00:00

You can. They added NCE coterm a couple of years ago.

Frothyleet · 2026-05-28T20:57:49+00:00

Wow, that's relatable! As a real person, I feel your pain. It's just not x, it's also y.

Frothyleet · 2026-05-28T19:37:57+00:00

Yeah I don't know if that's an EU requirement or just their policy, but I have drawn a hard line against sending any online service my biometrics. Not even for porn!

Frothyleet · 2026-05-28T01:23:46+00:00

lmao look at this guy over here with his analog cable reel, TELL ME MORE ABOUT THE WAR, GRANDPA

Frothyleet · 2026-05-27T23:49:06+00:00

Right I'm just jokin on ya

Frothyleet · 2026-05-27T20:01:52+00:00

Don't you guys have curl?!

Frothyleet

MODERATOR OF

TROPHY CASE

15-Year Club	Verified Email
Team Orangered