> I regard nearly all security for startup-class, user-less, and low-value companies to be premature optimization.
I can't see anybody working on user-less websites anyway but I sincerely hope that you'll make it plain which start-ups you work for so I can avoid them. Security and abuse potential are very important for start-ups because you have only one reputation and if you lose that you're pretty much done for.
I can point you to several pretty harsh reminders of how start-ups that don't take end-user security serious can end up.
I can't see anybody working on user-less websites anyway but I sincerely hope that you'll make it plain which start-ups you work for so I can avoid them. Security and abuse potential are very important for start-ups because you have only one reputation and if you lose that you're pretty much done for.
I can point you to several pretty harsh reminders of how start-ups that don't take end-user security serious can end up.