On Sun, Dec 7, 2014 at 7:35 AM, Ishak Micheil <isaa...@gmail.com> wrote:
> I think, it really depends on the organization business type. From an > information security management prospective, we are always very > conservative when hiring developers who contribute to OSS. Not directly > related to skill set, but rather the price tag on data loss prevention > program. Can you elaborate? -Denis _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug I will give you the points and then elaborate. 1- Generate funds 2- Risk Level Developers are viewed as great asset to an organization; due to the direct nature of their time will and very likely generated funds. With that in mind I believe the part of the statements in the NDA (Non-Non-Disclosure Agreement) is heavily pointing towards developers. In any organization type that always under great level of pressure from competition (financial industry for example) in providing the optimal services to their customers developers play major role. From secure coding, to neatness and attractive look and feel. What is that has to do with OSC you may ask? When a developer is attracted or directly involved in OSC, hiring manager must pause and analyze, Can that be yet another use case in DLP program? Indeed comes the answer. From asking simple questions to posting excerpts from internal or "company owned" code in effort to troubleshooting or assist in an OSC project, or even flat out share an entire code in effort to aid or assist in OSC. That will present risk of: 1- Internal classified (company owned) code leaked. 2- More susceptible to social engineering exposure. 3- Great challenge in monitoring and controlling such events and direct results. Is it really that big of deal? Usually it depends on the hiring manager and the department you are joining. In an information security department, you will indeed face more scrutiny when you mention OSC. My advice has always been, when interviewing, keep the OSC card in your pocket unless you are asked and make sure to point out the understanding of classified information and follow through with that. Ishak _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug