Before we dive into the specifics of web security fundamentals in the next stage.

Let's discuss how to think about security, in a way that will enable you

to write secure code more easily, efficiently and quickly.

First, consider the following two ways of thinking about security.

Security through Obscurity.

Keeping your applications safe by minimizing it's visibility.

That means attackers might not know where it is.

What it does.

How it works.

Why it's there.

Or who owns it.

Among other things.

Security through Obscurity, is often how developers get away

with running poorly secured, vulnerable applications.

They simply hide the critical components in layers of complexity.

Or use tons of third-party dependencies to carry out functionality, without

thinking about how those dependencies work or impact the overall applications.

Security through Ignorance.

Totally ignoring security when building your web applications.

When in development or learning new tools and

technologies that you aren't deploying directly to production.

This is totally okay, and actually encouraged in many cases.

However, once you make a commitment to deploy your system to production,

you must keep in mind what every technical decision means to your users,

your users' data, your systems up time, and many other properties of your system.

If you ignore security for your production applications,

you risk many of the issues we have discussed so far.

Losing your customers data, losing your job, or even worse.

Permanently destroying your company's brand.

These two ways of thinking about security are obviously insufficient, but

when you don't start with security first, this is often what you're stuck with.

Failing to plan is planning to fail.

We want to have a security first mindset, when thinking about our applications.

Including thinking about security whenever possible, as the first and

most important consideration.

Without allowing it to hurt overall design and architecture of our applications and

services.

This may sound crazy.

Why would we prioritize security over speed or maintainability?

The truth is efficiency, speed and

maintainability don't have to be compromised to have great security.

Like any other part of software engineering, it is

all about trade-offs which we will discuss throughout the rest of this course.

When we elevate security to the top of our priorities list,

we are considering two essential principles.

Security by Design and Security by Default.

By designing your systems from the ground up, and

making sure that your system's prefer the most secure options by default.

You have taken a holistic view of securing your application.

No longer would you be patching over vulnerable code

after you've already deployed.

And you certainly won't be ignoring security all together.

In general,

you should start by acknowledging that vulnerabilities will occur in code.

Do not simply ignore the cold truth that you can be compromised.

The next step is to maintain and prioritize the people on your team,

including you, who deal with security.

As well as any developers who deploy code.

Finally, you and

your team should always be thinking about how attackers will hurt you.

It is this last point that really makes a big difference.

Without considering how attackers might breach your system,

you can't put the necessary protections in place to stop them.