I was once in my much younger days, at a company where the development team worked at a different office to the "head office" product team.
We were a PoS app, and had no SaaS web offering.
The head office was keen to get one, so someone there prototyped one, then that prototype impressed the board so much, they got a couple of contractors in (with no knowledge of the actual product development team) to flesh out the prototype.
Eventually the product team admitted what they were doing and brought in the developers to take a look at how they were working.
They were using git, but not really using it. Because their actual mode of working was to SSH into the production machine, and use vim to edit the code.
Multiple users. SSHing into the same space, editing the same files. Sure, they had a git log, but it wasn't exactly best practices.
It was also all PHP, but we were a VB6/.NET shop, so there was also some friction around whether we should all learn PHP and embrace that going forward.
I was half impressed they managed to get so far with their prototype, half horrified by what I found.
There was not just no security consideration, they didn't know what an IDOR was.
I was incredibly impressed by the professionalism of the security auditor they got to review the code. I learned a heck of a lot from him in the few days he was with them. I regret to this day not writing down his name.
But yeah, those deployments were probably the fastest they would ever deploy.
Despite being impressed by the forward thinking of the product team to force the issue and get some kind of SaaS web presence, I sharpened up my CV and got a job which didn't involve either VB6 or PHP.
We were a PoS app, and had no SaaS web offering.
The head office was keen to get one, so someone there prototyped one, then that prototype impressed the board so much, they got a couple of contractors in (with no knowledge of the actual product development team) to flesh out the prototype.
Eventually the product team admitted what they were doing and brought in the developers to take a look at how they were working.
They were using git, but not really using it. Because their actual mode of working was to SSH into the production machine, and use vim to edit the code.
Multiple users. SSHing into the same space, editing the same files. Sure, they had a git log, but it wasn't exactly best practices.
It was also all PHP, but we were a VB6/.NET shop, so there was also some friction around whether we should all learn PHP and embrace that going forward.
I was half impressed they managed to get so far with their prototype, half horrified by what I found.
There was not just no security consideration, they didn't know what an IDOR was.
I was incredibly impressed by the professionalism of the security auditor they got to review the code. I learned a heck of a lot from him in the few days he was with them. I regret to this day not writing down his name.
But yeah, those deployments were probably the fastest they would ever deploy.
Despite being impressed by the forward thinking of the product team to force the issue and get some kind of SaaS web presence, I sharpened up my CV and got a job which didn't involve either VB6 or PHP.