I've worked in security for years. This isn't really true. The majority of all security breaches are caused by internal threats, not by some hacker group breaching your firewall. Malicious actors tailgating someone into an office and stealing an unlocked laptop, or an unlocked laptop being stolen while at a coffee shop or airport, is also a very common occurrence I've seen at most of my clients.
The thing is its easy to see that someone stole your machine and take action to revoke credentials. Further, the damage a person can do with a dev machine is rather limited - probably the worst that might happen is exfiltrating code. Yes, devops machines can do more damage, but presumably all their remote access is 2FA protected (at least). But a devs main influence is pushing to a git remote, and triggering a build. Maybe the build is a weak spot, but it seems unlikely that an attacker would find and exploit it faster than the defender would realize the box is gone and revoke keys.
No, my main concern is ongoing, persistent, secret access to my machine, particularly delivered via a malicious package. Something like Little Snitch is going to make it much harder for such an attack to work. Locking your machine, 2FA, PKI, etc is not going to help with that threat at all. And I have reason to believe it's more common than people think.
>probably the worst that might happen is exfiltrating code
This is far far from the worst that might (and does) happen. I think you severely underestimate the average dev's access to critical systems.
>but presumably all their remote access is 2FA protected
hahahahahaha
You also severely overestimate the security of most companies. A lot of F500s don't even use 2FA at all, let alone on something like CI/CD.
> unlikely that an attacker would find and exploit it faster than the defender would realize the box is gone and revoke keys
I have firsthand seen many cases where this isn't true at all. OTOH, I've never once heard of anyone catching a breach by using Little Snitch or anything close to it (though I'm not opposed to it at all as a good practice).
And in many cases, it has very little to do with "revoking keys" or any kind of remote access. Many people, whether they realize it or not, usually have some very valuable data just sitting in a csv file on their machine (I've encountered a large number of devs that have partial exports of customer databases stored locally on their machine that they were using for local testing). That type of stuff is easily lifted, no remote access required.
