When should we use secure practices and when not to? Like all good advice secure practices need to be weighed against practicality.
In a perfect world your system will have full test coverage, automated testing, database migration scripts, automated deployments, adhere to common coding practices, have identical dev and test environments, as well as excellent documentation.
In that perfect world the best way to protect production systems is not to allow logins – and to do everything through automation.
But what if that is not the case? What if you’re supporting a legacy system that is hacky, poorly designed – and the business is relying on it at the same time?
In this case your best line of defense is think creatively and have full access to all production systems – so you can react quickly when things go wrong. If automation can not be relied upon – then its hands on test, tweak if you have to, retest, and commit. Until you can replace the system with something more stable.
Sometimes you need to take your safety belt off, if only for a short time.