DEV Community

Cover image for The Baselines Most Teams Don't Know They're Missing
Narnaiezzsshaa Truong
Narnaiezzsshaa Truong

Posted on

The Baselines Most Teams Don't Know They're Missing

#security #devops #saas #discuss

A follow-up to the $5 VPS SaaS Playbook

Most teams think they're missing advanced tooling. They're not. They're missing the baselines—the boring, unglamorous, absolutely essential operational spine that keeps a system alive.

These aren't "senior-level practices." These are the minimum viable habits of a system that intends to survive its own success.

Let's name them plainly.

1. Tested Restores (Not Just Backups)

Everyone has backups. Almost no one has:

  • timed restore drills
  • restore runbooks
  • corruption detection
  • restore-under-pressure practice

If you've never restored your system while the clock is ticking, you don't know if you can.

2. Secrets Hygiene (Rotation, Revocation, Lifecycle)

Most teams treat secrets like static configuration:

  • rotation is rare
  • revocation is chaos
  • no one knows which secrets are still valid
  • no one knows who can read what

Secrets are living credentials, not environment variables.

3. Dependency Awareness (The npm Install Problem)

Teams install packages they've never:

  • audited
  • verified
  • mapped
  • threat-modeled

Transitive dependencies are invisible until they aren't. Supply chain risk is now the #1 attack vector in modern SaaS.

4. Incident Response Beyond "Whoever's Awake"

Most teams rely on:

  • tribal knowledge
  • adrenaline
  • Slack pings
  • whoever happens to be online

What's missing:

  • runbooks
  • escalation paths
  • decision logs
  • post-incident discipline

Incidents aren't technical failures—they're coordination failures.

5. Logging That Means Something

Logs exist. But:

  • no one reads them
  • no one knows what "normal" looks like
  • no one tracks anomalies
  • no one detects drift

Logging without baselines is just storage.

6. Access Control Beyond "Everyone Is Admin"

Least privilege is a principle. Without governance, it's not a practice.

Most teams have:

  • stale permissions
  • over-privileged roles
  • no audit trail
  • no lifecycle for access

Permissions accrete like sediment.

7. Threat Modeling as a Habit, Not a Workshop

Threat modeling isn't paranoia. It's literacy.

Most teams have never asked:

  • "What happens if the database is compromised?"
  • "What happens if CI is compromised?"
  • "What happens if a developer laptop is compromised?"
  • "What happens if we are compromised?"

If you don't know how your system fails, you don't know your system.

Closing

None of this is advanced. None of this is optional. These are the baselines.

If the VPS SaaS Playbook shows you how to build, this article shows you how to keep it alive.

Which baseline is your team actually missing?

Top comments (0)