My point wasn't that those aren't good but that they're hard enough to do effectively that most places won't see much benefit until they've done a bunch of other things first.
e.g. how many places use least-privilege auth credentials vs. having something like AWS keys or shared database credentials which have access to a ton of shared resources? I'd want to compartmentalize something like that well before changing the UID which code runs under since it's available without any further exploits.
e.g. how many places use least-privilege auth credentials vs. having something like AWS keys or shared database credentials which have access to a ton of shared resources? I'd want to compartmentalize something like that well before changing the UID which code runs under since it's available without any further exploits.