1

Were working towards implementing a SDLC for a company and as in any complex environment there are differences of opinion for the new process. Some of the developers want to make use of one directory others want to use another. Due to IT resource constraints there can be only one directory that will be exempted from e.g. real time anti-virus for performance and file integrity monitoring.

Environment specifics are:

  • All source will be created and compiled on Windows platforms
  • Most developers will have local admin rights
  • Enterprise security tools such as AV, FIM and a hardened Win10 image are in place
  • Different project teams use different languages, IDEs, compileres, tools etc

Are there specific security benefits to locating the source code in the user profile directory e.g

%USERPROFILE%\source

or is it irrelevant and a short directory such as:

C:\Code

Will work just as well with no security implications?

Joe
  • 1,214
  • 1
  • 11
  • 16

2 Answers2

2

It's irrelevant. This is because the user is running with the permissions to access this folder, if the user gets compromised it doesn't matter in which folder the source code is stored.

Make sure you use Bitlocker to encrypt the hard drives in case the endpoint gets stolen.

Raimonds Liepiņš
  • 994
  • 5
  • 9
0

Local directory location is immaterial. This because:

  1. Interacting with the code to begin with requires local privileges, and
  2. More importantly, machines can be searched.

So essentially it really doesn’t matter where you put your source, because ultimately they’re not permanent structures. Search files, flatten directories, rename files: those operating system structures don’t change much.

That being said, I find this an understandable but slightly unusual question. Good of you to ask it! But I’m curious about what prompts it. What’s your threat model here?

securityOrange
  • 913
  • 4
  • 12