I've seen this at so many startups (and worked to patch the gaps and put in best practices) including those backed by top tier VCs. The problem is that it is rare for startups to have security minded people.
It's usually designers, people who can raise money, and generalists who can stitch together apis. It's not generally platform, db, or security minded people. The proliferation of things like vercel and supabase have exacerbated this.
So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
> So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
Claude Code will do this, and actively encourage bypassing any verification before pushing to prod. I saw that first hand with its attempted handling of a major CIAM provider, and then Vercel using whatever OAuth provider in the ol' transitive breach
That is common knowledge now, right? Or am I just smoking yellow tops
Yeah but Supabase yells really loudly if you have RLS turned off with their own AI agent, plus you can ask Claude to red team the platform to have it lock it down.
Honeastly though, I get it. If you have headcount for two people, do you want one of those people to be a DBA and another to be a platform architect? Whos going to actually make the app.
I genuinely think the problem is that frameworks don't do this for you. Why should you need a DBA and platform architect to make a multi tenant CRUD app, pretty much every one does the same thing..
Security minded generalists exist. They might move slower than you expect of a MFBS (move fast break shit) engineer, but you might also end up with fewer issues later.
> Security minded generalist
there’s always some senior-ish person in the interview pool who is interested in security. hire them, let them figure things out and then give them permission to call bullshit on what you’ve done so far.
avoid hiring the “fanatics” tho. you don’t need E2EE everywhere.
And auth checks on the frontend. Or sometimes on the backend, but only on list pages. Or tables that still use INTEGER PRIMARY KEY AUTOINCREMENT in 2026 (which is one way to definitely disprove your statements about 1000x growth).
Yep, this has been my experience over 15 years in startups as well. There are barely any punishments, so there is no incentive for startups to change how they operate.
Same here. I've witnessed horrifying security bugs that were basically flagged as WONTFIX internally because it was too much work to fix until it was exploited.
You could even say they're paid even more to "move fast and break things".
While simultaneously wondering why software development being treated as a discipline of engineering is such a controversial subject.
Because, unlike bridges, software can easily be bought, including from countries that don't have such regulations.
Governments can certainly regulate imports.
I used to work at a startup that handled medical records. A HIPAA breach would have wiped out the company through reputation damage — because our customers were also subject to HIPAA and couldn't possibly hire a startup with a track record of HIPAA breaches.
In my personal assessment some individuals within leadership at this startup were highly risk-tolerant. I speculate that had those individuals been in leadership at other companies not subject to HIPAA, security practices would have been as lax and irresponsible as what's being described as the norm in this thread.
However, because of HIPAA, security practices at this company were fair-to-middling. There were certainly weak areas and mindless box-checking a la SOC-2, but it wasn't a complete shitshow. Those of us in the engineering deparment who cared were able to raise concerns and not have them dismissed, and were generally allowed to do things the right way.
My takeaway: when there are actual severe penalties for privacy breaches, startups may not be so cavalier with your data.
More often than not security minded people are encouraged to focus on things that get the product to market faster instead.
In your opinion, is the lack of attention on security due to speed-bias or not having the expertise? For a startup / sole entrepreneur with very limited resources, what would be your advice?
IME it's always lack of experience, at least at the level being described here. It's the same kind of person adding CORS handling to a pure backend service for "security" reasons. They just don't know any better and don't have a good enough mental model of how it all fits together to be able to recognize when they need to research more. The insecure patterns being chosen instead usually aren't even easier or faster to implement.
I don't have any concrete recommendations other than that one really good senior+ engineer is more important than a legion of juniors early on. Basic security doesn't require an extra hire; it requires somebody experienced enough to build your product right.
Yeah, in most cases these security vulnerabilities are also regular bugs too.
I'll bet at some point someone contact this company and said "hey I'm being shown the wrong course" or "I can't access the material I just uploaded."
I've never seen anyone who got the basics right compromised because of some esoteric security issue. I'm sure it happens and probably will happen more now that it can be automated but it's usually a case of a system being left wide open.
Yeah what was said below. Lack of experience. A lot of people just don't know to ask about it or think through data flows. Running your code base through an llm asking it to act as a l7 security auditor, take it's time, think from first principles, and look for data leaks and potential security gaps in the code and architecture is a good start. Also don't ignore supabase when it gives you suggestions on things to fix.
As a solo entrepreneur you really have to prioritize your time but spending an extra day or two to think through everything using something like Gemini thinking or pro and an llm with an eye on security before you start taking customer data is probably a really good use of your time and you'll learn a thing or three. Just keep asking why and think critically.