Module 24 Systems

Security for Engineers

Security is one of the most common areas where vibe coding produces genuinely dangerous code. AI generates code that works — but it also generates code with SQL injection vulnerabilities, improperly validated JWT tokens, stored XSS in user-generated content, CSRF-vulnerable forms, and hard-coded credentials. If you can't read the generated code and audit it for these issues, you're shipping vulnerabilities alongside features. This module teaches security from first principles, not as a checklist of things to avoid but as a way of thinking about systems. You'll understand how each vulnerability class works at the attack level — not just 'sanitize your inputs' but exactly how an attacker exploits unsanitized inputs, what the payload looks like, and why the defense works. This attack-first understanding is what makes security training stick instead of being forgotten between audits. You'll implement the complete authentication and authorization stack: password hashing with bcrypt, stateless sessions with JWTs, OAuth 2.0 flows for third-party authentication, role-based access control. You'll understand cryptographic primitives — symmetric and asymmetric encryption, hashing, digital signatures — not as magic boxes but as tools with specific properties and appropriate uses. And you'll practice threat modeling with the STRIDE framework, learning to enumerate attack surfaces systematically rather than hoping you remembered every threat.

What You'll Learn

  • 1
    Authentication — Passwords, hashing, tokens, OAuth, MFA
  • 2
    Authorization — RBAC, ABAC, JWT claims, permission models
  • 3
    Common Vulnerabilities — XSS, CSRF, SQL injection, SSRF with live examples
  • 4
    Cryptography Fundamentals — Symmetric, asymmetric, hashing, signing
  • 5
    Secure System Design — Defense in depth, principle of least privilege
  • 6
    Threat Modeling — STRIDE framework, attack surfaces, risk assessment

Capstone Project: Security Audit and Hardening

Perform a security audit on a deliberately vulnerable web application — identifying and exploiting XSS, CSRF, SQL injection, IDOR, and authentication bypass vulnerabilities — then fix each one with the correct defense (parameterized queries, CSRF tokens, output encoding, proper authorization checks) and document the attack vector, the fix, and the verification that the fix is complete. You'll also perform a STRIDE threat model on the application and identify threats not yet exploited.

Why This Matters for Your Career

Security vulnerabilities in production applications cause real harm: data breaches that affect users, financial fraud, regulatory liability, and reputational damage. The consequences of an SQL injection vulnerability in a production database or a stored XSS in a public application are not abstract — they are incidents that make news and end careers. Engineers who understand these vulnerabilities build applications that don't have them. The economics of security favor the attacker. One vulnerability in a thousand endpoints is all an attacker needs. Defense in depth — multiple overlapping controls so that any single failure doesn't lead to total compromise — is the architectural philosophy that addresses this asymmetry. Engineers who think about security holistically, not just as input sanitization, build systems that are resilient rather than just correctly coded in the happy path. OWASP Top 10 vulnerabilities have appeared in roughly the same form for decades. SQL injection was a problem in the early 2000s and it's still a problem today because developers without security training keep reintroducing it. Engineers who have explicitly studied these vulnerabilities — at the attack level, not just the prevention level — don't introduce them. That's the simplest possible security argument: understand what you're preventing and you'll prevent it.