I have tons of experience with enterprise linux, so I tend to use Rocky linux. It’s similar to my Fedora daily driver, which is nice, and very close to the RHEL and Centos systems I used to own.
You are slightly mistaken with your assumption that debian is insecure because of the old packages. Old packages are fine, and not inherently insecure because of its age. I only become concerned about the security implications of a package if it is dual use/LOLBin, known to be vulnerable, or has been out of support for some time. The older packages Debian uses, at least things related to infrastructure and hosting, are the patched LTS release of a project.
My big concerns for picking a distro for hosting services would be reliability, level of support, and familiarity.
A more reliable distro is less likely to crash or break itself. Enterprise linux and Debian come to mind with this regard.
A distro that is well supported will mean quick access to security patches, updates, and more stable updates. It will have good, accurate documentation, and hopefully some good guides. Enterprise linux, Debian and Ubuntu have excellent support. Enterprise linux distros have incredible documentation, and often are similar enough that documentation for a different branch will work fine. Heck, I usually use rhel docs when troubleshooting my fedora install since it is close enough to get me to a point where the application docs will guide me through.
Familiarity is self explanatory. But it is important because you are more likely to accidentally compromise security in an unfamiliar environment, and it’s the driving force behind me sticking with enterprise linux over Nixos or a hardened OpenBSD.
As a fair word of warning, enterprise linux will be pretty different compared to any desktop distro, even fedora. It takes quite a bit of learning, to get comfortable (especially with SELinux), but once you do, things will go smoothly. you can also use a pirated rhel certification guide to learn enterprise linux
If anything, you can simply mess around in a local VM and try installing the tools and services needed before taking it to the cloud.
Absolutely.
I don’t have a CS degree, I have a Cybersecurity and Forensics one. But, I love programming, and between the overlap of the two degrees and and my advanced designation I ended up taking about 3/4ths of the classes needed to get a CS degree.
Diversifying helped so much with me becoming a well rounded developer. My assembly programming class, while optional for CS, was mandatory for me, made me a significantly better dev. That assembly knowledge got me to become a skilled debugger, which made my C++ classes 10x easier, and it helped me understand memory at a lower level, making the memory problems easier to diagnose and fix.
I convinced a CS friend to take one of my cyber classes, Reverse Engineering, and he found te components of the class where we analyzed a vulnerable program to find and exploit the vuln, or the bit where we tried and determined the bug based on malware that exploited it is insightful to learning to program securely.
Learning about the infrastructure used in enterprise during a Windows admin or Linux admin class will make it easier to write code for those systems.
From the cybersecurity perspective, many of my CS classes carry me hard. Knowing how programs are written, how APIs are developed, and how to design complex software lets me make more educated recommendations based on what little information I’m given by the limited logs I am given to investigate. Writing code that interfaces with linux primitives makes it easier to conceptualize what’s going on when I am debugging a broken linux system.