Claude Code will do this, and actively encourage bypassing any verification before pushing to prod. I saw that first hand with its attempted handling of a major CIAM provider, and then Vercel using whatever OAuth provider in the ol' transitive breach
That is common knowledge now, right? Or am I just smoking yellow tops
I genuinely think the problem is that frameworks don't do this for you. Why should you need a DBA and platform architect to make a multi tenant CRUD app, pretty much every one does the same thing..
there’s always some senior-ish person in the interview pool who is interested in security. hire them, let them figure things out and then give them permission to call bullshit on what you’ve done so far.
avoid hiring the “fanatics” tho. you don’t need E2EE everywhere.
In my personal assessment some individuals within leadership at this startup were highly risk-tolerant. I speculate that had those individuals been in leadership at other companies not subject to HIPAA, security practices would have been as lax and irresponsible as what's being described as the norm in this thread.
However, because of HIPAA, security practices at this company were fair-to-middling. There were certainly weak areas and mindless box-checking a la SOC-2, but it wasn't a complete shitshow. Those of us in the engineering deparment who cared were able to raise concerns and not have them dismissed, and were generally allowed to do things the right way.
My takeaway: when there are actual severe penalties for privacy breaches, startups may not be so cavalier with your data.
I don't have any concrete recommendations other than that one really good senior+ engineer is more important than a legion of juniors early on. Basic security doesn't require an extra hire; it requires somebody experienced enough to build your product right.
I'll bet at some point someone contact this company and said "hey I'm being shown the wrong course" or "I can't access the material I just uploaded."
I've never seen anyone who got the basics right compromised because of some esoteric security issue. I'm sure it happens and probably will happen more now that it can be automated but it's usually a case of a system being left wide open.
As a solo entrepreneur you really have to prioritize your time but spending an extra day or two to think through everything using something like Gemini thinking or pro and an llm with an eye on security before you start taking customer data is probably a really good use of your time and you'll learn a thing or three. Just keep asking why and think critically.