[proksoup]

The attack vectors that surprised me but should not have:

- MongoHQ support person has access to data in customer database.

- CircleCI stores everything in the MongoHQ database, that is used to deploy/control customer servers.

- CircleCI's Customers' CircleCI controlled environments mixed with production environments.

I am guessing everyone just expects most companies, especially those with maybe just Series A financing or close to it, expects those companies to employ this level of security paranoia?

[jlgaddis]

I think we (those of us using "cloud services") put entirely too much trust in the providers that we use.

We all just pretty much assume that they're doing the right thing(TM) with regard to security even after we've seen, time and again, that this is certainly not the case.

[gohrt]

> everyone just expects most companies ... to employ this level of security paranoia?

The established enterprise hosting companies have security-infrastructure teams that are larger than the entire staff of most startups. Draw your own conclusions about how thorough those startups are with regard to security.