| ▲ | mcoliver 5 hours ago | |||||||||||||
I've seen this at so many startups (and worked to patch the gaps and put in best practices) including those backed by top tier VCs. The problem is that it is rare for startups to have security minded people. It's usually designers, people who can raise money, and generalists who can stitch together apis. It's not generally platform, db, or security minded people. The proliferation of things like vercel and supabase have exacerbated this. So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff. | ||||||||||||||
| ▲ | The_Blade 4 hours ago | parent | next [-] | |||||||||||||
> So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff. Claude Code will do this, and actively encourage bypassing any verification before pushing to prod. I saw that first hand with its attempted handling of a major CIAM provider, and then Vercel using whatever OAuth provider in the ol' transitive breach That is common knowledge now, right? Or am I just smoking yellow tops | ||||||||||||||
| ||||||||||||||
| ▲ | throwaway523401 8 minutes ago | parent | prev | next [-] | |||||||||||||
I used to work at a startup that handled medical records. A HIPAA breach would have wiped out the company through reputation damage — because our customers were also subject to HIPAA and couldn't possibly hire a startup with a track record of HIPAA breaches. In my personal assessment some individuals within leadership at this startup were highly risk-tolerant. I speculate that had those individuals been in leadership at other companies not subject to HIPAA, security practices would have been as lax and irresponsible as what's being described as the norm in this thread. However, because of HIPAA, security practices at this company were fair-to-middling. There were certainly weak areas and mindless box-checking a la SOC-2, but it wasn't a complete shitshow. Those of us in the engineering deparment who cared were able to raise concerns and not have them dismissed, and were generally allowed to do things the right way, at least internally. My takeaway: when there are actual severe penalties for privacy breaches, startups may not be so cavalier with your data. | ||||||||||||||
| ▲ | chrisss395 2 hours ago | parent | prev | next [-] | |||||||||||||
In your opinion, is the lack of attention on security due to speed-bias or not having the expertise? For a startup / sole entrepreneur with very limited resources, what would be your advice? | ||||||||||||||
| ||||||||||||||
| ▲ | BowBun 4 hours ago | parent | prev | next [-] | |||||||||||||
Yep, this has been my experience over 15 years in startups as well. There are barely any punishments, so there is no incentive for startups to change how they operate. | ||||||||||||||
| ||||||||||||||
| ▲ | c2h5oh 4 hours ago | parent | prev [-] | |||||||||||||
More often than not security minded people are encouraged to focus on things that get the product to market faster instead. | ||||||||||||||