Running it in production is the point. An idea is pursued to validate the market for it, not to accomplish building a scalable, secure solution for which nobody wants.
This is an unfortunate consequence of having a free and openly distributed internet. Unless you're auditing and compiling your own builds from open source, you have no idea where your data is going.
I'm all for best practices and due diligence. But from the startup founder perspective, you can't let yourself be paralyzed by the fear that everything will go horribly wrong.
> But from the startup founder perspective, you can't let yourself be paralyzed by the fear that everything will go horribly wrong.
Some middle ground here is definitely needed.
Even for startups, things going "horribly wrong" can kill people (medical devices, biochemistry, robotics, transportation) or send people to jail (accounting, banking).
And if you think your web startup doesn't deal with "dangerous" things, I suggest googling for "life-threatening grindr security flaw".
90 percent of the users who reuse passwords for your app will end up on a list and finding themselves on haveibeenpwned months too late, or never.