Hacker News new | ask | show | jobs
by brokenwren 1969 days ago
Then you should also group the database in your core competencies and would likely need to consider building this yourself. Or the OS. Or the web framework. Or the wire protocols.

Sure, this is hyperbolic, but it does illustrate that not everything is a "core competency". There are always tradeoffs and decisions when it comes to software.

In my opinion, authentication and authorization are likely not core competencies for 99% of businesses. They are simply capabilities that just need to work and the business doesn't need to own them. This is the same with the database. Using a tool like FusionAuth, Keycloak, or SuperTokens will cover all of their needs.
2 comments
robotdan 1969 days ago
I think @tremon is just getting at that auth must be considered critical, and thus you should maintain some level of skill and competency to ensure you don't get blindsided.

Perhaps the distinction is just because something isn't a "core competency" does not mean it is not critical. And just because it isn't a "core competency" doesn't mean you can afford to be ignorant on the topic.

link
JamesSwift 1969 days ago
That seems silly though. It is for this very reason you "dont roll your own crypto". _Because_ its critical, and _because_ others can handle it better when thats what they are focused on.
link
ehutch79 1969 days ago
Never roll your own crypto, but you should damn well know how to use the library properly.
link
dsr_ 1969 days ago
For most businesses, the database is a required part of the functioning of the business. That means:

- the database must be secured against unauthorized or improper use

- the database must be accessed efficiently

- the database must have some degree of resilience

- the database must be recoverable

- the database must be available

Each business will have different weightings for these properties -- does a dating website care more about database security than a bank does? -- which will lead to different decisions about who should own and manage the DB.

But a business is, absolutely, a group of people who are doing things together. If you can't identify, authenticate, and authorize those people, you don't have a business. And if the database that stores that information isn't among your highest priorities, I think that business is rather misguided.

link
brokenwren 1969 days ago
Exactly. And most businesses "outsource" their database. They might use PostgreSQL for free or they might pay Microsoft for SQL Server. In my opinion, this is analogous to auth.
link