Developing a Security-first Mindset

Before we dive into the specifics of web security fundamentals in the next stage. 0:00 Let's discuss how to think about security, in a way that will enable you 0:05 to write secure code more easily, efficiently and quickly. 0:10 First, consider the following two ways of thinking about security. 0:15 Security through Obscurity. 0:20 Keeping your applications safe by minimizing it's visibility. 0:22 That means attackers might not know where it is. 0:26 What it does. 0:30 How it works. 0:31 Why it's there. 0:32 Or who owns it. 0:34 Among other things. 0:35 Security through Obscurity, is often how developers get away 0:37 with running poorly secured, vulnerable applications. 0:41 They simply hide the critical components in layers of complexity. 0:45 Or use tons of third-party dependencies to carry out functionality, without 0:49 thinking about how those dependencies work or impact the overall applications. 0:54 Security through Ignorance. 1:00 Totally ignoring security when building your web applications. 1:03 When in development or learning new tools and 1:08 technologies that you aren't deploying directly to production. 1:11 This is totally okay, and actually encouraged in many cases. 1:15 However, once you make a commitment to deploy your system to production, 1:20 you must keep in mind what every technical decision means to your users, 1:25 your users' data, your systems up time, and many other properties of your system. 1:30 If you ignore security for your production applications, 1:36 you risk many of the issues we have discussed so far. 1:40 Losing your customers data, losing your job, or even worse. 1:43 Permanently destroying your company's brand. 1:48 These two ways of thinking about security are obviously insufficient, but 1:52 when you don't start with security first, this is often what you're stuck with. 1:56 Failing to plan is planning to fail. 2:02 We want to have a security first mindset, when thinking about our applications. 2:05 Including thinking about security whenever possible, as the first and 2:10 most important consideration. 2:15 Without allowing it to hurt overall design and architecture of our applications and 2:17 services. 2:22 This may sound crazy. 2:24 Why would we prioritize security over speed or maintainability? 2:25 The truth is efficiency, speed and 2:30 maintainability don't have to be compromised to have great security. 2:33 Like any other part of software engineering, it is 2:38 all about trade-offs which we will discuss throughout the rest of this course. 2:41 When we elevate security to the top of our priorities list, 2:45 we are considering two essential principles. 2:49 Security by Design and Security by Default. 2:53 By designing your systems from the ground up, and 2:57 making sure that your system's prefer the most secure options by default. 3:00 You have taken a holistic view of securing your application. 3:05 No longer would you be patching over vulnerable code 3:10 after you've already deployed. 3:13 And you certainly won't be ignoring security all together. 3:15 In general, 3:20 you should start by acknowledging that vulnerabilities will occur in code. 3:20 Do not simply ignore the cold truth that you can be compromised. 3:26 The next step is to maintain and prioritize the people on your team, 3:30 including you, who deal with security. 3:36 As well as any developers who deploy code. 3:39 Finally, you and 3:42 your team should always be thinking about how attackers will hurt you. 3:44 It is this last point that really makes a big difference. 3:48 Without considering how attackers might breach your system, 3:52 you can't put the necessary protections in place to stop them. 3:55