Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How often does code go through security audits? Is every feature audited prior to deploying to live? GitHub is making money by selling private repositories which will often contain very sensitive code, so ensuring nobody can gain unauthorised access to them is presumably one of the top concerns.

I'm interested in seeing how tight security requirements fit in with this almost continuous deployment strategy.



We do continuous deployment at Etsy[1] as well. Here is a talk from our head of application security (probably not his official title, fyi) about some of the stuff we do: http://www.slideshare.net/zanelackey/effective-approaches-to....

[1]: http://www.etsy.com, the world's marketplace for handmade and vintage goods.


Every commit is reviewed by at least 1 person. Depending on the feature, several people may chime in. I find that reviewing smaller diffs is much easier. We also use Team Mentions (@github/api, for example) liberally to get more eyeballs.

We also have regular audits with external security firms.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: