Skip to content
PersonalNotes

Introduction

What “Security” Actually Means

Security is the practice of protecting systems against unauthorized access, misuse, disclosure, modification, or destruction.
It is not about perfection or eliminating risk, but about managing risk consciously.
Every security decision is a trade-off between risk, usability, cost, and complexity.

A useful framing is:

Security is about controlling who can do what, to which data, under which assumptions.

Core Security Goals

Confidentiality

Ensure data is only accessible to authorized entities.
Encryption, access control, and secret management support this goal.

Integrity

Ensure data and behavior cannot be tampered with undetected.
Hashing, signatures, authorization checks, and immutability help here.

Availability

Ensure systems remain usable even under attack or failure.
Rate limiting, redundancy, and graceful degradation matter.

Authenticity & Accountability (Often Added)

Know who performed an action and be able to prove it later.
Authentication, logging, and audit trails support this.

Fundamental Mental Models

Trust Boundaries

Any point where data crosses from one trust level to another is dangerous. Examples:

  • Browser → Server
  • User input → Database
  • Service A → Service B

Assume everything crossing a boundary is hostile until proven otherwise.

Attacker Mindset

Always ask:

  • What can an attacker control?
  • What assumptions does the system make?
  • What happens if those assumptions are false?

Attackers combine small weaknesses into full exploit chains.

Defense in Depth

No single control is sufficient. Layers fail independently:

  • Validation
  • Encoding
  • Authentication
  • Authorization
  • Monitoring

Expect failures and design for containment.

Secure by Design vs Secure by Patch

Security added later is weaker and more expensive. Design systems so:

  • Unsafe states are impossible
  • Secure paths are the default
  • Dangerous APIs are hard to misuse

Common Classes of Vulnerabilities

Input and Output Issues

  • XSS
  • SQL injection
  • Command injection
  • Template injection

Authentication and Authorization

  • Weak password storage
  • Broken access control
  • Privilege escalation
  • Session fixation

Web and Browser Issues

  • CSRF
  • CORS misconfiguration
  • Clickjacking
  • Token leakage

Cryptography Misuse

  • Rolling your own crypto
  • Reusing nonces
  • Weak randomness
  • Incorrect key storage

Operational and Supply Chain

  • Hardcoded secrets
  • Insecure CI/CD
  • Dependency compromise
  • Excessive permissions

Practical Good Practices

Input and Rendering

  • Validate input for shape and size
  • Encode output for the correct context
  • Avoid dangerous APIs (eval, innerHTML)

Identity and Access

  • Enforce least privilege
  • Separate authentication from authorization
  • Use short-lived credentials

Secrets

  • Never commit secrets
  • Rotate regularly
  • Centralize secret storage

Cryptography

  • Use well-reviewed libraries
  • Understand what primitives do
  • Prefer established protocols

Monitoring and Response

  • Log security-relevant events
  • Alert on anomalies
  • Practice incident response

Threat Modeling (Lightweight)

Ask these questions early:

  1. What are we protecting?
  2. Who are the attackers?
  3. What can go wrong?
  4. What mitigations exist?
  5. What risks remain?

Even informal threat modeling dramatically improves outcomes.

Common Cognitive Traps

  • “The framework handles it”
  • “No one would attack this”
  • “It’s internal only”
  • “We’ll fix it later”
  • “It worked in production before”

Security failures often stem from false assumptions, not missing tools.

Learning Strategy for Security

Phase 1: Foundations

  • Web security fundamentals
  • Browser security model
  • Auth, sessions, tokens
  • Basic cryptography usage

Phase 2: Depth

  • XSS, CSRF, OAuth, CORS
  • API abuse patterns
  • Secure system design
  • Incident analysis

Phase 3: Expertise

  • Threat modeling
  • Supply chain security
  • Distributed systems security
  • Hardening and monitoring

High-Quality Learning Resources

Reference Material

  • OWASP Top 10
  • OWASP Cheat Sheets
  • NIST SP 800 series

Practical Learning

  • Web security labs (intentionally vulnerable apps)
  • Reading real CVEs and postmortems
  • Source code of mature security libraries

Mental Model Builders

  • Security engineering books
  • Protocol specifications
  • Incident write-ups from large companies

Key Takeaways

  • Security is about risk management, not absolutes
  • Browsers, networks, and systems have their own rules — learn them
  • Most bugs are design flaws, not missing checks
  • Think in terms of attacker capabilities
  • Build systems that fail safely

Security is not a feature — it is a property of the system as a whole.