The Security Mindset: CIA, Threats, and Thinking Like an Attacker
Every other course in this curriculum has asked "how do I make this work?" Security asks a different, harder question: "how could this be made to fail — deliberately, by someone w…
Computer Security covers: The Security Mindset, Authentication, Authorization and Federated Identity, The OWASP Top 10, Defense in the Browser and the Pipeline. Year 3, Quarter 12. Includes 17 exercises and 2 projects.
This course unlocks once you've finished its prerequisite. Open prerequisite →
Every other course in this curriculum has asked "how do I make this work?" Security asks a different, harder question: "how could this be made to fail — deliberately, by someone w…
Authentication is the front door of every system — the moment where an anonymous request has to prove it belongs to a specific person — and it is where an enormous fraction of rea…
Authentication answered who you are. Authorization answers a completely different and equally critical question: what are you allowed to do? — and confusing the two is the source …
There is a document that, if every web developer read and internalized it, would prevent the majority of real-world breaches: the OWASP Top 10, a ranked list of the vulnerability …
The final lesson of Computer Security is about the layers — the defenses that don't prevent a single attack so much as build walls around whole categories of them, in the two plac…
- [ ] PS Lab: SQL Injection — Retrieve hidden data by modifying a SQL query — PortSwigger Apprentice - [ ] PS Lab: Reflected XSS — Inject JavaScript into a search parameter — Port…
- [ ] PS Lab: Blind SQL Injection with conditional responses — PortSwigger Practitioner - [ ] PS Lab: Stored XSS — Inject persistent JavaScript in a comment — PortSwigger Practiti…
- [ ] PS Lab: Blind XXE with out-of-band data exfiltration — PortSwigger Expert - [ ] PS Lab: HTTP Request Smuggling — CL.TE and TE.CL attacks — PortSwigger Expert - [ ] PS Lab: P…
- [ ] Build a deliberately vulnerable Rails app (like DVWA) — Include SQL injection, XSS, CSRF, insecure auth, broken access control; then build the secure version with all fixes …
Build a small Rails app with intentional OWASP Top 5 vulnerabilities (SQL injection, XSS, CSRF bypass, broken auth, insecure direct object references). Then create a branch with a…
- [ ] Milestone 1: Security audit — run Brakeman, bundler-audit, check OWASP Top 10 - [ ] Milestone 2: Pen test — attempt SQL injection, XSS, CSRF, auth bypass on the app - [ ] Mi…
- [ ] Explain SQL injection. How do parameterized queries prevent it? - [ ] Explain XSS (cross-site scripting). What is the difference between reflected and stored XSS? - [ ] Expl…
12 lessons. Read in order; spiral back when you need to. By the end you'll have used the core ideas twice — once on the abstract, once on something you'll meet at work next week.