Security is a state of being protected or safe from harm from common threats.
- Let's begin our examination of web security with a simple definition. Webster's Dictionary defines security as the state of being protected or safe from harm, things done to make people or places safe, measures taken to guard against espionage or sabotage, crime, attack, or escape. So security is both the state of being protected and the measures we take to protect. This serves as a good general definition of security. In this course, we'll be focused on the security of a specific industry, web development. What makes a website secure? When the web server and all of its applications are protected and safe from harm. Websites require special consideration. They're high profile. In fact, they're the main public face of a company. They represent the brand. Websites allow organizations to interact with users, and in some cases, provide a major source of revenue. It's not uncommon for a website to be the whole company. Users need to be able to trust that websites will keep their information safe. That may include personal identifying information, credit card numbers, salary data, or healthcare information. It's our job as developers to provide security so that the projects we put on the web are trustworthy. That's a big responsibility. To effectively protect a website, we first need to be aware of the risks and pitfalls. We need to know who could do us harm and how they could do it. We can only assert that something is secure after we've surveyed the potential problems and have confidence that we have the right safeguards in place. This can be expressed as a simple equation. Awareness plus adequate protection equals security. My goal in this course is to provide awareness of potential threats. It will be up to you to do the second half, to put the necessary safeguards in place. Spending a lot of time and money on protections is meaningless if your actions aren't based on an awareness of the actual risks and threats. Awareness is just as important as the protection itself, because it guides your efforts. Here's a quick story that makes this point. During World War II, the British Royal Air Force wanted to protect their planes from being shot down. They examined the planes after they returned from missions, and they noticed that bullet holes were more common on some parts of the plane than on others. So, they should add armor to the parts of the plane with more bullet holes, right? Wrong. Lucky for them, someone smart pointed out that the bullet holes indicate which parts do not need more protection. Those planes had taken a lot of damage, yet still made it back to base. It's the places on the plane with few bullet holes that required extra protection. Planes shot in those places suffered catastrophic failures and never made it back to base. Now, much like the war planes, effective web security should be built on awareness of the real and specific threats. Online security is a very broad and deep topic. In this course, our focus will be on the general principles and mental models that will give you a way to approach the topic. And we'll look at some of the biggest threats and discuss principle-based strategies for handling them.
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting