Comment by alkonaut
20 hours ago
Devs not having read access to all code seems like a massive org smell. What’s worse, in many cases not having access doesn’t just prevent you from seeing it it also prevents you from knowing it exists. Now you don’t know what to ask for, who to ask, or what to not implement again.
There is no security risk that you could use to convince me that ”devs should only have access to code they need to modify”.
in my org, devs don’t have access to customer data directly, and sysadmins don’t have access to modify code.
It’s a simple rule from a simpler time, to limit the risk of total compromise.
Repos should not contain customer data.
Private Repos, in githubs case, might be customer data.
I think this might be more aimed at ensuring that if an attacker gains access to cloud login credentials via a compromised dev machine, those credentials can't then be used to access customer data.
Yeah I worked in a company that blocked access to their main (terrible) product from some devs. They are not doing too well...