I started my career back in the days when we hosted servers in the basement of the office. At the time, we never really thought much about security until we deployed the code (which pretty much meant FTPing a bunch of files to a server). Security was handled at the router first – block malicious traffic from getting in the door. Then we locked down the firewall on the server itself (no, you can’t telnet from outside the building).
Skip forward 15-20 years. We like to think in the days of solid development cycles and continuous integration/continuous deployment we have this whole security thing nailed. But to be honest, we, as an industry, still pretty much treat security as the thing you do in Production. We treat our dev boxes an awfully lot like my team treated servers back in the day – it’s okay, it’s inside the firewall.
Only it’s not okay.