
Ask HN: What cloud security practices should you do, but don't? - Ethan_Mick
For example, you should run vulnerability scans on your infrastructure, but don&#x27;t. Perhaps your company doesn&#x27;t have vulnerability disclosure policy, but should.<p>Why not?
======
jaredraby
I no longer work at the company, but I used to work at a startup doing IoT
devices. Our cloud server didn't stay up to date with security vunerabilities
as we should have. Basically letting Mysql get behind in versions. There was
also the issue of SSL being forgone in the name of time saving since I was the
only one working on infrastructure. The development platform we were using
broke on older versions with SSL enabled, so it was thrown into the wind
before I had the time to deal with it.

This was due to being inexperienced with the work, too many duties, and a time
line that didn't give me the time that I needed to fully understand some
topics.

TLDR; -Security vulnerabilities from version updates -SSL on some platforms
-Not having a dedicated / experienced individual on staff for dev ops in
general

~~~
ontoillogical
<self promotion>

I'm not surprised to see that the first thing you listed was patching known
vulnerabilities. Staying up to date with known vulnerabilities is the baseline
of a security policy, but patch management is needlessly hard, especially if
you don't have dedicated staff to scour security mailinglists.

We built a product to make this easier:
[https://appcanary.com](https://appcanary.com) . Maybe it would have helped
your old employer.

</self promotion>

------
atmosx
> Why not?

From a sysadmin/devops PoV boils down to _flexibility_. Security comes at the
expense of flexibility and flexibility is more important for the survival and
well-being of many/most IT companies and its especially crucial to startups.

