[qz2]

What I find frustrating is that if you are in a high stake environment it’s increasingly fashion driven too. I am in one of those environments where we can get prosecuted, big time. I tend to opt for a conservative engineering approach with maturity and security considerations being a key part of the design process.

But no, fuck that, someone went to a conference, bought everything shiny and started a death-march of throwing any old hacked up shit and containers from random joes in a limping kubernetes cluster that no one really understand and calling it a success.

That’s reality in 2020 unfortunately. I don’t sleep very well these days.

[bob1029]

I dont understand why business leaders cannot see this for what it is and take back some control. Investors need to start asking more probing questions about how organizations develop and deploy applications. Perhaps if the money becomes contingent, people will start to give a shit about the engineering quality.

At no point should "fun" be a line item when determining what technology to select in a high stake environment.

We are in finance and we picked the most boring technologies we could find. Most of our stuff doesn't even talk to the network stack. I can't imagine running our transactions, with their piping hot PII, through the labyrinthine monstrosity that is modern "best practices".

[qz2]

Problem with investors is that they pay third parties to do audits and third parties are filled with box tickers who ask a load of questions. You can strategically answer any question. So the game becomes how to answer the audit questions effectively rather than an honest appraisal of the situation.

Also it's not really fun. It's a frustration ridden shit show. You spend all day solving complex problems instead of building business value.

A fine example of where the tradeoff ends is spending three weeks solving fundamental networking issues due to stack complexity and immaturity.

[jacquesm]

> You can strategically answer any question.

Good luck with that.

We do exactly that for a living here, we're essentially 5 people who are all CTO grade and have run our own companies. If you can fool us for a whole day you've deserved your investment, but I highly doubt anybody ever got away with that.

[qz2]

There’s at least two layers of indirection and yes I probably could fool you or just blatantly lie.

[jacquesm]

Good for you, it's been tried but so far without success. Maybe you're the exception but I highly doubt that. Arrogance on my part, for sure, but the record on my end speaks for itself (170+ companies looked at to date) and you are an AC.

[qz2]

My house was paid for by someone who was that arrogant :)

[tinco]

Because all the shiny new things make promises. From larger talent pools in node.js, to cheaper scaling with kubernetes. They all talk to business leaders in terms they understand.

Also, this is a fundamental property of innovation, innovation usually is made possible by the new and shiny things. I run the software side of a hardware startup, and I wouldn't have been able to run such a complex software system with such a small team if it wasn't for all the shiny stuff. Yes a lot of it is wobbly, but we're also comfortably a year ahead of the established players.

[Aeolun]

> From larger talent pools in node.js, to cheaper scaling with kubernetes.

Larger pools of people, and cheaper infrastructure.

Not necessarily talent and cheaper scaling in my opinion.

[59nadir]

> Yes a lot of it is wobbly, but we're also comfortably a year ahead of the established players.

It's likely that you would be ahead of established players with old, not shiny technology as well. Established players have an inherently harder time progressing in most circumstances and an entirely different maintenance burden in pretty much every layer of their product. Shiny, new technology accounts for much less than people think it does.

[TheColorYellow]

> Investors need to start asking more probing questions about how organizations develop and deploy applications.

Does this even matter though? Shitty technology choices don't always translate to poor business outcomes.

[jacquesm]

This is absolutely true. But shitty technology tends to have hard upper limits to scalability and shitty security tends to put hard upper limits on the company life span. It's interesting how established companies can have one security issue after another but the customers are so locked in they can't leave and so those companies are not nearly as affected as they should be (Equifax anybody?). But your run-of-the-mill start-up would be mortally wounded by such an affair because they still need to sign the bulk of their customers.

Of course it doesn't always play out like that (to every rule there are plenty of exceptions), but investors don't like to be associated with companies that fail or that blow up their reputations either because it makes their exit that much harder or even impossible.

I've seen investors that took the responsible route and made fixing major security issues or other undesirable elements of the target companies a condition to investment and typically these investments succeed in the longer term, not in the least because they cleaned up their act and could then turn that into a USP relative to the rest of the field.

Even so: better invest in a company with a mediocre product and a stellar sales team than to invest in a company with a fantastic product and a mediocre sales team. The first one will get you a better ROI, and tech can be fixed post deal.

[alisonkisk]

What company has been harmed by shitty security on any sort of worrying timescale?

[qz2]

I worked for an online gambling startup that got owned on launch day and the investors pulled out the day after.

Thank fuck I was just a contractor and not a founder or shareholder.

[htormey]

You are totally correct. Beyond a certain level of due diligence it doesn’t matter.

[htormey]

“ Investors need to start asking more probing questions about how organizations develop and deploy applications. Perhaps if the money becomes contingent, people will start to give a shit about the engineering quality”

Why? Most companies fail due to a lack of product market fit not because they picked the wrong software stack. Hence investors time is better spent on company outcomes and not micromanaging whether the backend team is building using Java or Rust or whatever’s trendy.

[nthj]

I see this idea often, and it feels somewhat shortsighted for me. Company outcomes are primarily determined by product-market fit, yes, and: the tighter your feature release feedback loop, the more product-market-fit experiments you can run before you’re out of runway.

Many technology and process choices are just style and preference, absolutely. Others have a material impact on the effort and time to ship a feature. (I’ll leave examples as an exercise to the reader; I imagine any example I used could turn into discussion of “ah you’re doing $FOO wrong.” I suspect this tendency entangles with why these choices seemingly frequently impact business outcomes, from my perspective.)

[htormey]

Well I imagine it’s a function of the stage of companies the VC’s are investing in.

If you are an early stage investor and you are writing lots of checks to cast a wide net do you really have the time to do that level of due diligence? Presumably a quality founding team and a decent demo is enough to tick that box.

If you are a series A or above investor, does it really do anything to provide this advise after the fact?

I image that the assumption is that if the company is successful you can afford to bring in more seasoned people to fix things. At least that’s what I’ve seen on my travels in the Bay Area.