Colleague #3: "Sounds good to me. We're behind the firewall and the NIC used for Dell iDRAC or HP iLO is on an isolated network unique to the physical datacenter. Remote access for our techs is managed through a secured bridge that requires all sorts of security hoops on our company intranet, and remote access for general internet traffic is not available due to the firewall restrictions. There's no way hackers will get through that in the first place."
Colleague #4-20: Build various integrations to database, all with their own ways of storing credentials.
Colleague #2: "It's really past due time to change the database password, but first we have to make sure all critical systems can still access the database."
Which is why forward planning and prompt action is worth so much.
I know I'm stating the obvious, but I've seen some worrying attitudes of "just in time" that seem to go hand in hand with a misunderstanding of Scrum Sprints or Kanban. Where people concentrate on the tree and ignore the vast interconnected forest around them.
You would be shocked at how nonchalant and downright negligent people can be about security at even the largest companies in the US. I did consulting work at a large insurance company that had the contact information, ssn, and PHI of pretty much everyone in the America (and I mean everyone). I lost track of the number of times people checked in the production password into git. In fact our production cassandra instance still was using the default cert password 'changeit' when I left. Unsurprisingly, this company was filled with contract workers and H1B workers that were barely able (if at all) to get their work done.
Colleague #437: "So whoever first set this up has left, so I'll just follow the documentation they left to figure out what they did... Oh. ...eh, I got a deadline."
Colleague #1: "What password shall we set?"
Colleague #2: "Just leave it default for now as we're still testing, we will change it later".