Did Scott Hanselman have too much cough syrup on show #135?
So this question will get technical – eventually – but first check out Hanselminutes with Atwood (et. al.) where Scott basically invites developers to try to hack this site. It’s a hoot. I first thought (out loud of course, because with headphones on you get the best stares from people as you think out loud) “he either just got off a plane without meal service from Hong Kong or was ticketed for driving a Bobcat after too much cough syrup.”
So the question is, if a site like this can survive on one box, does it need multiple firewalls, a DMZ, and an anal ex-banker with a big stick? In other words, do we chase after the grail of security architectures just because THEY tell us to?
Disclaimer: I love Scott Hanselman and am a big fan of his another layer of abstraction theory.
I really enjoyed the podcast, and found it refreshing to hear someone of Jeff's reputation sharing the same business/cost driven reality that so many of us face. I often find books/podcasts/presentations a little Utopian.
Making it work is still the primary goal. Beautiful code, perfect abstraction, NSA level security - those are all lofty goals too, but too much focus on those things can drive a project into premature bankruptcy.
Ya, I agree that my paranoia probably got the best of me. I think it's MORE useful to complain about Jeff's lack of a separate dev and staging machine...not sure I have the stomach to push directly out to production. ;)
Seriously, though, forgetting about the hardware aspects of things, I should have talked more about threat modeling. It seems like Jeff's got a pretty good handle on that, however, and is plugging holes as fast as they are found.