Hi Wesley,

At least, it’s not an MOD site, and we will have secondary laptops connected to the internet. So we won’t be completely cut off. I have worked in that world previously, and it wasn’t much fun. No kind of mobile phones or other electronic devices permitted on site. Escorted everywhere for the first couple of months, while they waited for my security clearance to be processed. I stuck it out for about 3 months. :)

So we’re not completely cut off, but anything entering the ‘secure’ network will need to go through what is being referred to as a 'sheep dip’. And it does seem that those sheep dip queues could get rather long.

To answer your question, the reason for the lock-down is sensitive data. However, it’s sensitive data ‘owned’ by a government department and classified towards the higher end of their scales (not getting into the world of ’top secret' though), which means that various mandatory restrictions are imposed.

As you mention, I reckon that a dual network setup would probably be better, given that we would not need to go through such rigorous checks to set up the third party executable software and updates. Hopefully, the interfaces and shape of the secure data are not considered to be restricted, so stubs could be developed in a developer DMZ. All that would pass into the secure network on a regular basis, would be our own build artefacts and a number of open source libraries that we depend on. I suspect that we could introduce a process to automatically validate hashes of those open source libraries, to avoid having to re-validate them completely on every release. I guess we would need a certain amount of 3rd party tooling in the secure environments, but it shouldn’t be the kind of tooling that really requires regular updates.

From what I have seen of the infrastructure designs, there is an assumption that all development will be carried out from within a single secure network. A lower restriction network has not been planned. That’s partly the reason for this query. If I’m to have any chance of persuading them to redesign the infrastructure to include a development network, I will need to present a well-formulated justification early. Hopefully I’m not too late to make such requests...

Steve



> On 20 Feb 2015, at 08:25, Wesley Hall <[address removed]> wrote:
> 
> Stephen, 
> 
> This is going to be immensely painful i’m afraid. I am doubtful that I would even take a job in an environment. I simply need an active internet connection to do my job. It’s like employing a surgeon and telling them they cannot use a scalpel. 
> 
> I don’t know about the environment and the reasons for such a hefty security process, but I would be looking for ways to avoid having to cut the development team off from the world at pretty much all costs. 
> 
> Look to isolate the reasons for this requirement, not the developers. If, for example, the reason is because there is highly sensitive data on the network, like health records, or credit card numbers, create dummy, non-sensitive versions of these resources so that you can create an internet enabled network that developers can use without risking compromising the resources. Scan the entire software before promoting it to your secure environment. 
> 
> I really recommend getting as creative as you can with this, because I wouldn’t be betting big on a project where developers cannot access the network. You will have long queues forming behind that sheep dip….
> 
>> On 19 Feb 2015, at 09:23, Stephen Masters <[address removed]> wrote:
>> 
>> Hi folks,
>> 
>> A little question for anyone who has been forced to develop in an environment with no internet connection.
>> 
>> Well … I say “no” internet. What seems likely for a new project I’m setting up, is a single ’sheep dip’ laptop disconnected from the main network, which can be used by a limited (currently 1) number of people to download specific items, scan them, etc, prior to approving them to be used and putting them somewhere on the internal network. Certainly no developer will be able to download development software or libraries themselves.
>> 
>> As far as I can tell, this will inevitably be a rather painful process, and likely to hinder development in many ways.
>> 
>> Fortunately, this is a completely greenfield project, with no constraints at this point other than the security level, which means that at this early stage, I do have the opportunity to introduce processes and software.
>> 
>> It’s no fun being a developer when you constantly feel hobbled by environmental restrictions, so I was wondering whether anyone has any tips on optimising such a process to make life developing in such a secure environment less painful. Partly for the purely selfish reason of making my life easier. Also, because at some point soon, we’re likely to be doing some recruiting, and I wouldn’t want to put people off straight away, or lose them after 3 months!
>> 
>> Steve
>> 
>> 
>> 
>> --
>> Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
>> https://www.meetup...­
>> This message was sent by Stephen Masters ([address removed]) from LJC - London Java Community.
>> To learn more about Stephen Masters, visit his/her member profile: https://www.meetup...­
>> Set my mailing list to email me
>> 
>> As they are sent
>> https://www.meetup...­
>> 
>> In one daily email
>> https://www.meetup...­
>> 
>> Don't send me mailing list messages
>> https://www.meetup...­
>> Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]
>> 
> 
> 
> 
> 
> 
> --
> Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
> https://www.meetup...­
> This message was sent by Wesley Hall ([address removed]) from LJC - London Java Community.
> To learn more about Wesley Hall, visit his/her member profile: https://www.meetup...­
> Set my mailing list to email me
> 
> As they are sent
> https://www.meetup...­
> 
> In one daily email
> https://www.meetup...­
> 
> Don't send me mailing list messages
> https://www.meetup...­
> Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]
>