I think @tremon is just getting at that auth must be considered critical, and thus you should maintain some level of skill and competency to ensure you don't get blindsided.

Perhaps the distinction is just because something isn't a "core competency" does not mean it is not critical. And just because it isn't a "core competency" doesn't mean you can afford to be ignorant on the topic.

That seems silly though. It is for this very reason you "dont roll your own crypto". _Because_ its critical, and _because_ others can handle it better when thats what they are focused on.

Never roll your own crypto, but you should damn well know how to use the library properly.

For most businesses, the database is a required part of the functioning of the business. That means:

- the database must be secured against unauthorized or improper use

- the database must be accessed efficiently

- the database must have some degree of resilience

- the database must be recoverable

- the database must be available

Each business will have different weightings for these properties -- does a dating website care more about database security than a bank does? -- which will lead to different decisions about who should own and manage the DB.

But a business is, absolutely, a group of people who are doing things together. If you can't identify, authenticate, and authorize those people, you don't have a business. And if the database that stores that information isn't among your highest priorities, I think that business is rather misguided.

Exactly. And most businesses "outsource" their database. They might use PostgreSQL for free or they might pay Microsoft for SQL Server. In my opinion, this is analogous to auth.