Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Developing a Security-first Mindset

4:00 with Alena Holligan and Jared Smith

You can’t truly call yourself adept at web security until you have learned and developed a mindset of thinking securely. In this video, we will explore common ways to think about web security and broader software security.

New Terms

  • Security through Obscurity: Keeping your system safe because attackers don’t know where it is, what it does, how it works, why it’s there, who owns it, etc.
  • Security through Ignorance: Keeping your system safe by completely ignoring the fact that computer security exists, bad guys aren’t real and don’t care about your company, and vulnerabilities are a myth.
  • Security by Design/Default: you should keep your apps safe by designing it to be security from the ground up.

Documentation

Security by Design principles, from OWASP
Stack Overflow: Security through obscurity and encryption

Further Reading

JavaScript Security: What You Need to Know to Write Secure Applications in JS, by Jared Smith
Technet Magazine, Benefits and drawbacks of Security through Obscurity in some popular Microsoft technologies

Before we dive into the specifics of web security fundamentals in the next stage. 0:00
Let's discuss how to think about security, in a way that will enable you 0:05
to write secure code more easily, efficiently and quickly. 0:10
First, consider the following two ways of thinking about security. 0:15
Security through Obscurity. 0:20
Keeping your applications safe by minimizing it's visibility. 0:22
That means attackers might not know where it is. 0:26
What it does. 0:30
How it works. 0:31
Why it's there. 0:32
Or who owns it. 0:34
Among other things. 0:35
Security through Obscurity, is often how developers get away 0:37
with running poorly secured, vulnerable applications. 0:41
They simply hide the critical components in layers of complexity. 0:45
Or use tons of third-party dependencies to carry out functionality, without 0:49
thinking about how those dependencies work or impact the overall applications. 0:54
Security through Ignorance. 1:00
Totally ignoring security when building your web applications. 1:03
When in development or learning new tools and 1:08
technologies that you aren't deploying directly to production. 1:11
This is totally okay, and actually encouraged in many cases. 1:15
However, once you make a commitment to deploy your system to production, 1:20
you must keep in mind what every technical decision means to your users, 1:25
your users' data, your systems up time, and many other properties of your system. 1:30
If you ignore security for your production applications, 1:36
you risk many of the issues we have discussed so far. 1:40
Losing your customers data, losing your job, or even worse. 1:43
Permanently destroying your company's brand. 1:48
These two ways of thinking about security are obviously insufficient, but 1:52
when you don't start with security first, this is often what you're stuck with. 1:56
Failing to plan is planning to fail. 2:02
We want to have a security first mindset, when thinking about our applications. 2:05
Including thinking about security whenever possible, as the first and 2:10
most important consideration. 2:15
Without allowing it to hurt overall design and architecture of our applications and 2:17
services. 2:22
This may sound crazy. 2:24
Why would we prioritize security over speed or maintainability? 2:25
The truth is efficiency, speed and 2:30
maintainability don't have to be compromised to have great security. 2:33
Like any other part of software engineering, it is 2:38
all about trade-offs which we will discuss throughout the rest of this course. 2:41
When we elevate security to the top of our priorities list, 2:45
we are considering two essential principles. 2:49
Security by Design and Security by Default. 2:53
By designing your systems from the ground up, and 2:57
making sure that your system's prefer the most secure options by default. 3:00
You have taken a holistic view of securing your application. 3:05
No longer would you be patching over vulnerable code 3:10
after you've already deployed. 3:13
And you certainly won't be ignoring security all together. 3:15
In general, 3:20
you should start by acknowledging that vulnerabilities will occur in code. 3:20
Do not simply ignore the cold truth that you can be compromised. 3:26
The next step is to maintain and prioritize the people on your team, 3:30
including you, who deal with security. 3:36
As well as any developers who deploy code. 3:39
Finally, you and 3:42
your team should always be thinking about how attackers will hurt you. 3:44
It is this last point that really makes a big difference. 3:48
Without considering how attackers might breach your system, 3:52
you can't put the necessary protections in place to stop them. 3:55

You need to sign up for Treehouse in order to download course files.

Sign up