This. I worked with an end-to-end encrypted communications company for 5 years, and learned a vast amount more about crypto, attack vectors, and security holes than I did in the previous decade or two, but I would never claim to be a security or crypto expert, or even competent at it.
In fact, I almost certainly know only a tiny fraction of what the actual experts in that company knew, but a number of people have told me that I know a lot more about it than the average developer.
That scares me, and if people flame someone for recommending that a dedicated security expert be hired by companies that handle sensitive data, I can only conclude it is out of ignorance - of what's out there, and what's possible.
On the other hand, there are economic realities to consider, especially in early-stage, underfunded startups. What do they do about this?
In fact, I almost certainly know only a tiny fraction of what the actual experts in that company knew, but a number of people have told me that I know a lot more about it than the average developer.
That scares me, and if people flame someone for recommending that a dedicated security expert be hired by companies that handle sensitive data, I can only conclude it is out of ignorance - of what's out there, and what's possible.
On the other hand, there are economic realities to consider, especially in early-stage, underfunded startups. What do they do about this?