A security mindset asks: "How could this break? How could someone abuse this?"—before shipping, not only after an incident.
Habits
- Validate and encode untrusted input at trust boundaries
- Default deny—explicit allow lists for auth and network
- Never log passwords or full credit card numbers
- Keep dependencies updated; read security advisories
- Threat-model new features in a 30-minute design sketch
Secure defaults
New features should be secure with zero config: HTTPS only, secure cookies, parameterized queries, least-privilege service accounts.
Important interview questions and answers
- Q: Trust boundary?
A: Where data crosses from untrusted (user input) to trusted (your database). - Q: Default deny?
A: Block unless explicitly allowed—safer than allow unless blocked.
Self-check
- List three developer security habits.
- What is a trust boundary?
Challenge
Threat-sketch one feature
- Pick a login or checkout flow you know.
- List assets, trust boundaries, and top three threats.
- Name one control per threat.
Done when: you have a one-page STRIDE-style sketch for a real feature.
Interview prep
- Trust boundary?
Line between untrusted input and trusted systems.