Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How often does code go through security audits? Is every feature audited prior to deploying to live? GitHub is making money by selling private repositories which will often contain very sensitive code, so ensuring nobody can gain unauthorised access to them is presumably one of the top concerns.

I'm interested in seeing how tight security requirements fit in with this almost continuous deployment strategy.



We do continuous deployment at Etsy[1] as well. Here is a talk from our head of application security (probably not his official title, fyi) about some of the stuff we do: http://www.slideshare.net/zanelackey/effective-approaches-to....

[1]: http://www.etsy.com, the world's marketplace for handmade and vintage goods.


Every commit is reviewed by at least 1 person. Depending on the feature, several people may chime in. I find that reviewing smaller diffs is much easier. We also use Team Mentions (@github/api, for example) liberally to get more eyeballs.

We also have regular audits with external security firms.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: