In your opinion, is the lack of attention on security due to speed-bias or not having the expertise? For a startup / sole entrepreneur with very limited resources, what would be your advice?
In your opinion, is the lack of attention on security due to speed-bias or not having the expertise? For a startup / sole entrepreneur with very limited resources, what would be your advice?
IME it's always lack of experience, at least at the level being described here. It's the same kind of person adding CORS handling to a pure backend service for "security" reasons. They just don't know any better and don't have a good enough mental model of how it all fits together to be able to recognize when they need to research more. The insecure patterns being chosen instead usually aren't even easier or faster to implement.
I don't have any concrete recommendations other than that one really good senior+ engineer is more important than a legion of juniors early on. Basic security doesn't require an extra hire; it requires somebody experienced enough to build your product right.
Yeah, in most cases these security vulnerabilities are also regular bugs too.
I'll bet at some point someone contact this company and said "hey I'm being shown the wrong course" or "I can't access the material I just uploaded."
I've never seen anyone who got the basics right compromised because of some esoteric security issue. I'm sure it happens and probably will happen more now that it can be automated but it's usually a case of a system being left wide open.
Yeah what was said below. Lack of experience. A lot of people just don't know to ask about it or think through data flows. Running your code base through an llm asking it to act as a l7 security auditor, take it's time, think from first principles, and look for data leaks and potential security gaps in the code and architecture is a good start. Also don't ignore supabase when it gives you suggestions on things to fix.
As a solo entrepreneur you really have to prioritize your time but spending an extra day or two to think through everything using something like Gemini thinking or pro and an llm with an eye on security before you start taking customer data is probably a really good use of your time and you'll learn a thing or three. Just keep asking why and think critically.