Sometimes you have a corporate environment where development is client-side only, and databases are the realm of the DBAs. In these cases, devs will still have a common development instance to work on even if they cannot make changes to it, they can still fill it with crap data for testing. If your DB is a mainframe or minicomputer, then chances are the API to access it wil be via stored procedures rather than plain SQL, in which case hiding the underlying schema is ok as the devs don’t need to know it – they do need to know the sprocs however.

Incidentally, even if you do have devs with local DBs they use, its still worth having a centralised DB server that hosts the ‘last release’ or even just an integration DB, so devs can test their code against a known state DB with good (or reasonable) data in it.

The 2nd aspect is code security. I used to work for a company in the financial services sector that took security very seriously, our offshore devs would only work on code by RDPing onto computers that were hosted in the local office. My laptop was locked down to prevent use of filesharing and email websites and things like the USB ports were disabled. I think this is required for PCI security accreditation.

If you have Devs and DBAs rather than just Devs then you should probably only allow devs to access the DB via SProcs. and thus knowledge of the underling schema is not needed. A test DB could be created which always returned static data in response to sproc calls and Dev velocity would be unaffected (possibly even improved!)

However, in my experience, even if a company does have a separated DBA team, its usually the Devs who write the sprocs and table schemas etc which are then handed off to DBAs who look after the DB infrastructure/backups/indexing etc

In this case its ridiculous to hide the schema from the devs who are writing it.

Also, I’m not sure any security benefit is gained by hiding the schema. Or even the source code! Unless you have a very technical cutting edge product (in which case you should patent the algorithms) Anyone can code up a better version in a few months.

In fact, if your product is any good, you can probably already download an open source version for free.

The value of a software company is it user base and copyrighted names. Not its code.

Answer to rewritten question : Should Devs be allowed local Databases

OK, Assuming your Devs create the database schema there is no difference (security wise) between code and DB schema.

ie. You should have a DB project and maintain the schema in a source control system. Having a local DB is just an implementation of the schema and increases no risk.

Now you can argue that not having source code locally on a laptop which is taken out of the building is a security benefit. Even if you trust your devs laptops are lost/stolen all the time.

But this isn’t really an argument for or against local vs development DBs its an argument for not taking development computers home. Which, unless you have people working from home why would you?

If you have remote workers, then yes you can address security issues about stolen computers releasing confidential info. but I would be far more worried about confidential customer data/emails etc rather than sourcecode/db schema