I've seen this at so many startups (and worked to patch the gaps and put in best practices) including those backed by top tier VCs. The problem is that it is rare for startups to have security minded people.
It's usually designers, people who can raise money, and generalists who can stitch together apis. It's not generally platform, db, or security minded people. The proliferation of things like vercel and supabase have exacerbated this.
So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
> So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
Claude Code will do this, and actively encourage bypassing any verification before pushing to prod. I saw that first hand with its attempted handling of a major CIAM provider, and then Vercel using whatever OAuth provider in the ol' transitive breach
That is common knowledge now, right? Or am I just smoking yellow tops
Yeah but Supabase yells really loudly if you have RLS turned off with their own AI agent, plus you can ask Claude to red team the platform to have it lock it down.
Yep, this has been my experience over 15 years in startups as well. There are barely any punishments, so there is no incentive for startups to change how they operate.
Same here. I've witnessed horrifying security bugs that were basically flagged as WONTFIX internally because it was too much work to fix until it was exploited.
Honeastly though, I get it. If you have headcount for two people, do you want one of those people to be a DBA and another to be a platform architect? Whos going to actually make the app.
I genuinely think the problem is that frameworks don't do this for you. Why should you need a DBA and platform architect to make a multi tenant CRUD app, pretty much every one does the same thing..
Security minded generalists exist. They might move slower than you expect of a MFBS (move fast break shit) engineer, but you might also end up with fewer issues later.
there’s always some senior-ish person in the interview pool who is interested in security. hire them, let them figure things out and then give them permission to call bullshit on what you’ve done so far.
avoid hiring the “fanatics” tho. you don’t need E2EE everywhere.
And auth checks on the frontend. Or sometimes on the backend, but only on list pages. Or tables that still use INTEGER PRIMARY KEY AUTOINCREMENT in 2026 (which is one way to definitely disprove your statements about 1000x growth).
I used to work at a startup that handled medical records. A HIPAA breach would have wiped out the company through reputation damage — because our customers were also subject to HIPAA and couldn't possibly hire a startup with a track record of HIPAA breaches.
In my personal assessment some individuals within leadership at this startup were highly risk-tolerant. I speculate that had those individuals been in leadership at other companies not subject to HIPAA, security practices would have been as lax and irresponsible as what's being described as the norm in this thread.
However, because of HIPAA, security practices at this company were fair-to-middling. There were certainly weak areas and mindless box-checking a la SOC-2, but it wasn't a complete shitshow. Those of us in the engineering deparment who cared were able to raise concerns and not have them dismissed, and were generally allowed to do things the right way.
My takeaway: when there are actual severe penalties for privacy breaches, startups may not be so cavalier with your data.
In your opinion, is the lack of attention on security due to speed-bias or not having the expertise? For a startup / sole entrepreneur with very limited resources, what would be your advice?
IME it's always lack of experience, at least at the level being described here. It's the same kind of person adding CORS handling to a pure backend service for "security" reasons. They just don't know any better and don't have a good enough mental model of how it all fits together to be able to recognize when they need to research more. The insecure patterns being chosen instead usually aren't even easier or faster to implement.
I don't have any concrete recommendations other than that one really good senior+ engineer is more important than a legion of juniors early on. Basic security doesn't require an extra hire; it requires somebody experienced enough to build your product right.
Yeah, in most cases these security vulnerabilities are also regular bugs too.
I'll bet at some point someone contact this company and said "hey I'm being shown the wrong course" or "I can't access the material I just uploaded."
I've never seen anyone who got the basics right compromised because of some esoteric security issue. I'm sure it happens and probably will happen more now that it can be automated but it's usually a case of a system being left wide open.
Yeah what was said below. Lack of experience. A lot of people just don't know to ask about it or think through data flows. Running your code base through an llm asking it to act as a l7 security auditor, take it's time, think from first principles, and look for data leaks and potential security gaps in the code and architecture is a good start. Also don't ignore supabase when it gives you suggestions on things to fix.
As a solo entrepreneur you really have to prioritize your time but spending an extra day or two to think through everything using something like Gemini thinking or pro and an llm with an eye on security before you start taking customer data is probably a really good use of your time and you'll learn a thing or three. Just keep asking why and think critically.
Virtual credit cards have been a thing for years. I remember bank of america or Citi providing them to me 15+ years ago. If I recall it was a java app or maybe even a standalone exe. Shocked they never took off more broadly.
Robinhood absolutely nails this. Best virtual credit card system I have ever used. So seamless. Can auth a card for one time use, 24 hours, or indefinite until you cancel. Such a great UI / UX
MBNA (which got bought out by Chase) had a Flash-based virtual card app back in the early 2000's. I really enjoyed using it. I also can't understand why they haven't taken off, especially in the world of Everything Is A Subscription we're living in now. I adored being able to set expiration dates and spend limits to save ugly negotiations about ending subscriptions.
Ebay is having issues right now. Appears to be at the edge. I'm guessing the root cause is also what is affecting github right now. What other sites are experiencing issues?
An error occurred while processing your request.
Reference #97.882c2d17.1777318317.5fa0343
The Casa Diablo geothermal facility in the eastern Sierra Nevada of California has been a success. I also remember reading years back about ideas surrounding how to extract energy from Yellowstone both to provide clean energy but also to decrease risk of another massive explosion. If I recall they were proposing digging a massive horizontal tunnel to come in deep and extract heat without compromising the roof.
I think it's time to revise HN guidelines, when the original title is clearly intentionally misleading/clickbait/omitting key facts ("temporarily disappeared in this case). Editorializing to fix that should be encouraged, not just allowed.
With hp shutting down anyware / teradici / pcoip there are quite a few people looking for alternatives that support high resolution multi monitor with 60fps high bit depth playback and things like wacom tablet support and all three OS. Parsec and DCV are out there on the spend money side. I'm excited about the open source efforts. Things like rustdesk,kyber, and teraguchi. The community needs an open source high performance option.
Oddly specific. The interactions and variables in biology and physics create way more permutations than many (perhaps all?) people can wrap their heads around but that doesn't mean the possibility of reasoning from first principles doesn't exist. There are very well defined pathways in both medicine and physics. The ones we haven't discovered are most likely much more complex and may contain recursive loops that make tradeoffs inevitable. Or not. The rapid improvement in pattern recognition and processing leads me to believe we are in for a wild time over the next 10 years with a ton of breakthroughs in both physics and medicine.
SSG are over engineered? If anything it feels the opposite. Everything in a text git repo, templated, and a llm can understand and extend. Git branch to test new builds, merge to main deploys globally on cloudflare. Super fast load times, zero security issues to worry about, zero dependencies. Version control. Zip it up and take it wherever you want.
No server side things to worry about. It's super clean. Jekyll, css, js, GitHub and cloudflare is such a clean and refreshing setup.
It's usually designers, people who can raise money, and generalists who can stitch together apis. It's not generally platform, db, or security minded people. The proliferation of things like vercel and supabase have exacerbated this.
So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
reply