Cyber essentials and MAMP Pro
Mike Dixon
We recently went through the process of applying for Cyber Essentials. Cyber Essentials is a program created by the UK government to help businesses get on top of their Cyber security. It was an interesting process for us to go through, and certainly helped us to formalise and document practices we had been doing for years.
We did hit a bit of a blocker tho for our developers, specifically
A7.6 Use of Administrator Accounts
How does your organisation make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)?
We have used many different development workflows and environments over the years, but recently we had semi-standardised on using MAMP Pro. Our previous experiments with other workflows had all been unsuccessful for various reasons, either suffering from poor performance (docker based solutions) or being very fragile and sensitive to OS updates (Valet).
The issue is MAMP Pro cannot start from a non admin account. There are various solutions for attempting to trick it into starting as a non admin user, but we couldn't get any of them to actually work. Instead we came across a post from Studio 24 who made use of a magic app called Privileges as a work around.
The Privileges app worked great, and allowed our developers to quickly elevate themselves to an admin when they needed to start MAMP Pro, and then switch back to a non admin user for the rest of their working day. We had hoped this would be sufficient to tick the box for the Cyber Essentials assessment, but sadly not - it was a hard no from the assessor, and we would need to re-think our workflow.
So, one mild panic and busy weekend later, we made the company wide leap to ddev . And actually, it's been great - we should have done it years ago. Our previous experiences of docker based workflows and painfully slow file system issues have all been resolved. It even has the added bonus of shifting all the (potentially dangerous, and sometimes flakey) npm stuff off the developer machines and into the docker containers.
So - in summary - if you are looking to get Cyber Essentials certified, and you are using MAMP Pro - then your only option is to jump ship, but chances are you'll be pleased you did.