No. I don’t think so. I think if you took many engineers and sat them at a computer and asked them to stand up a whole dev staging prod system they wouldn’t be able to do it.
I certainly would not, or it would take me a significant amount of time to do properly. I have been a full stack dev for 10 years. Now take that one step further to someone whose only interaction with a development is numpy, pandas, julia, etc…
You are, in typical HN style, minimising the problem into insignificance.
This is /not/ a “stick it behind an aws load balancer and on one of their abstracted services that does 99% of the work for you” - that would be less difficult.
E: love how this is getting ratioed by egotistical self confessed x10 engineers no doubt. Some self reflection is needed on your behalf. Just because /you/ think you would be capable, does not mean that the plethora of others would be able to.
What likely happened here is an ingress rule was set up wrongly on iptables or equivalent.. something many of your fellow engineers would have no clue about. An open dev database is rather normal if you want something out of the door quickly, why would you worry about an internal accessible only tool’s security if you trust your 10 or so staff. Have a think about the startups you have worked in (everyone here is a startup pro, just like you are - remember!) and what dire situation your mvp was in behind its smoke and mirrors PowerPoint slide deck.
Yes this was disastrous for PR. No it is not a problem solved in its entirety entirely by learned engineering experts like yourself.
I would consider it table stakes for an intermediate level engineer at a big company (which would have well defined processes for doing this safely) or a senior at any other company (on the assumption some of that infra has to be set up from scratch). If 10 years of experience hadn’t taught me this yet, I would personally be concerned how I’m spending my energy. I am roughly at the 10y mark, and I would estimate I have been competent enough to build a public facing application without embarrassing public access issues on my own for at least 4 years. Even before that, I would have known what to be scared of / seek help on for at least 7 years. I guess I could be more unusual than I think, but the idea that at 10 years anyone would be ok not knowing how to approach such a routine task is baffling to me.
HN is a bubble. The expectation that your colleagues are /experts like you/ is unrealistic. To stand something up like this, which is entirely on bare metal - this is a task many would find challenging if they are entirely honest with themselves and put their egos to the side. Your typical swe thinks that nothing is impossible.
There was a recent comment which said along the lines of “I used to watch figure skating, seeing them race around and spin, and think no big deal. It was only when I went on ice that I realised how difficult and impressive what they were doing was” - this is exactly the trap SWEs are most guilty of. — /this/ is what you learn as a staff level.
You are talking to the ice skaters.
They expect you to do up your laces. Setting a password on a database is a something I would expect of any company capable of asking for a credit card.
everything you say is true, but I don't think any of it actually applies to being able to safely deploy user facing systems. I would certainly not trust myself to do all possible aspects of setting up a user facing system completely from scratch (ie nothing but a libc on linux or whatever) I would not trust myself to write correct crypto, for example. But I have a good sense of what I can trust myself to build relatively safely. And of course i'm not claiming that "knowledge of where to trust myself" is by any means flawless. But Even in college I made applications for people that were exposed to the public internet. But I was very aware of what I felt I could trust myself to do and what I needed to rely on some other system for. In my case I delegated auth to "sign in with google" and relied on several other services for data storage. There were features that I didn't ship because I didn't trust myself to build them safely, and I was working alone. Now I would not necessarily expect every CS student to be able to do this safely, but a healthy understanding of one's own current limitations and being willing to engineer around that as a constraint is pretty achievable, and can get you very far.
I don’t understand this comment? Is it unusual to request something like this? OP’s comment was saying that all 1000 or so (and hundreds of thousands of others) of his colleagues would be able to do this if asked?
I don’t know if you are in agreement with me or not
I am agreeing with your premise of asking a random s/w technician to deploy an app fairly securely would be problematic and then generalized it to include many tasks related to s/w engineering.
Right, and DeepSeek doesn't employ any because they're a bunch of quants who are used to building internal systems. I don't see how this responds to OP's point.
That's not a matter of battle hardened experience. Publicly exposing database management endpoints that allow arbitrary execution is a *massive* no-no that even a junior developer with zero experience should be able to sense is a bad idea.
