Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Start a free Basic trial
to watch this video
You can’t truly call yourself adept at web security until you have learned and developed a mindset of thinking securely. In this video, we will explore common ways to think about web security and broader software security.
New Terms
- Security through Obscurity: Keeping your system safe because attackers don’t know where it is, what it does, how it works, why it’s there, who owns it, etc.
- Security through Ignorance: Keeping your system safe by completely ignoring the fact that computer security exists, bad guys aren’t real and don’t care about your company, and vulnerabilities are a myth.
- Security by Design/Default: you should keep your apps safe by designing it to be security from the ground up.
Documentation
Security by Design principles, from OWASP
Stack Overflow: Security through obscurity and encryption
Further Reading
JavaScript Security: What You Need to Know to Write Secure Applications in JS, by Jared Smith
Technet Magazine, Benefits and drawbacks of Security through Obscurity in some popular Microsoft technologies
-
0:00
Before we dive into the specifics of web security fundamentals in the next stage.
-
0:05
Let's discuss how to think about security, in a way that will enable you
-
0:10
to write secure code more easily, efficiently and quickly.
-
0:15
First, consider the following two ways of thinking about security.
-
0:20
Security through Obscurity.
-
0:22
Keeping your applications safe by minimizing it's visibility.
-
0:26
That means attackers might not know where it is.
-
0:30
What it does.
-
0:31
How it works.
-
0:32
Why it's there.
-
0:34
Or who owns it.
-
0:35
Among other things.
-
0:37
Security through Obscurity, is often how developers get away
-
0:41
with running poorly secured, vulnerable applications.
-
0:45
They simply hide the critical components in layers of complexity.
-
0:49
Or use tons of third-party dependencies to carry out functionality, without
-
0:54
thinking about how those dependencies work or impact the overall applications.
-
1:00
Security through Ignorance.
-
1:03
Totally ignoring security when building your web applications.
-
1:08
When in development or learning new tools and
-
1:11
technologies that you aren't deploying directly to production.
-
1:15
This is totally okay, and actually encouraged in many cases.
-
1:20
However, once you make a commitment to deploy your system to production,
-
1:25
you must keep in mind what every technical decision means to your users,
-
1:30
your users' data, your systems up time, and many other properties of your system.
-
1:36
If you ignore security for your production applications,
-
1:40
you risk many of the issues we have discussed so far.
-
1:43
Losing your customers data, losing your job, or even worse.
-
1:48
Permanently destroying your company's brand.
-
1:52
These two ways of thinking about security are obviously insufficient, but
-
1:56
when you don't start with security first, this is often what you're stuck with.
-
2:02
Failing to plan is planning to fail.
-
2:05
We want to have a security first mindset, when thinking about our applications.
-
2:10
Including thinking about security whenever possible, as the first and
-
2:15
most important consideration.
-
2:17
Without allowing it to hurt overall design and architecture of our applications and
-
2:22
services.
-
2:24
This may sound crazy.
-
2:25
Why would we prioritize security over speed or maintainability?
-
2:30
The truth is efficiency, speed and
-
2:33
maintainability don't have to be compromised to have great security.
-
2:38
Like any other part of software engineering, it is
-
2:41
all about trade-offs which we will discuss throughout the rest of this course.
-
2:45
When we elevate security to the top of our priorities list,
-
2:49
we are considering two essential principles.
-
2:53
Security by Design and Security by Default.
-
2:57
By designing your systems from the ground up, and
-
3:00
making sure that your system's prefer the most secure options by default.
-
3:05
You have taken a holistic view of securing your application.
-
3:10
No longer would you be patching over vulnerable code
-
3:13
after you've already deployed.
-
3:15
And you certainly won't be ignoring security all together.
-
3:20
In general,
-
3:20
you should start by acknowledging that vulnerabilities will occur in code.
-
3:26
Do not simply ignore the cold truth that you can be compromised.
-
3:30
The next step is to maintain and prioritize the people on your team,
-
3:36
including you, who deal with security.
-
3:39
As well as any developers who deploy code.
-
3:42
Finally, you and
-
3:44
your team should always be thinking about how attackers will hurt you.
-
3:48
It is this last point that really makes a big difference.
-
3:52
Without considering how attackers might breach your system,
-
3:55
you can't put the necessary protections in place to stop them.
You need to sign up for Treehouse in order to download course files.
Sign up