[chunk_waffle]

> Is this really a huge priority?

It is for people who rent out slices of a computer to a bunch of different people and promise that the script kiddie that lives on the same machine as you can't steal your members-only cat photos (e.g. cloud providers.)

[gustavus]

Like yes hypothetically they could do that. But being an info sec person what I can tell you is much more likely is that 2 years ago a developer was having a bug that he fixed by downgrading the library that interacted with the database. It turned out there was a vulnerability in that version of the library allowing SQL injection, but now that is a core piece of business functionality and no cycles can be spared till "next sprint" which will never come because the company is still a scrappy startup that moves fast and break things. (Despite now having 100 developers and millions in revenue) then someone finds out and can exfiltrate your entire DB in about 20 minutes with automated tools.

Or what is more realistic is that they send an email to Sarah the the CEOs PA that says she needs to grant access to "John Smith" and she puts in her username and credentials in the corresponding link. Then those credentials are used to access GitHub (of course the secretary has GitHub access because one time the CEO wanted to look at something and couldn't so now he demands his secretary has full GitHub access) and then they find the root db username and password because after it was accidentally committed the intern decided just to delete it and put in a new commit because he didn't want to get in trouble. That attack took 10 minutes and an email.

My point being is if you are running something that is so secure it needs to be protected from this kind of hypothetical attack, while in that case you're probably already paying for a dedicated instance in the first place.

[supriyo-biswas]

Also anyone who runs JavaScript, since they work across processes.