Security for Application Engineers

Threat Modeling per Feature

Apply STRIDE to every epic before a line of code is written, keeping threat modeling lightweight enough that engineering teams actually do it.

AuthN: Passwords, Passkeys, MFA

What authentication actually looks like to ship in 2026 — hashing, passkey flows, MFA tiers, and the pitfalls that kill real implementations.

AuthZ: RBAC, ReBAC, ABAC

Pick the right authorization model for your product, implement it with OPA or Cedar, and avoid the access-control patterns that leak data in real systems.

Session Management

Design session tokens, cookie attributes, refresh flows, and revocation so that a stolen token has a short blast radius and a logged-out user is actually logged out.

Input Validation and Injection Classes

Understand SQLi, XSS, SSRF, and command injection as feature risks, not checklist items — with concrete mitigations for each injection class.

Secrets at Rest and in Motion

How to manage encryption keys with a KMS, apply envelope encryption to sensitive database columns, and ensure nothing sensitive travels over unprotected channels.

Dependency and Supply Chain

Manage transitive dependencies, generate and consume SBOMs, sign artifacts, and catch the supply chain attacks that slip past standard dependency scanning.

Logging Without Leaks

Build structured logs that give you full observability during incidents without accidentally writing PII, credentials, or security-sensitive data into your log pipeline.

Multi-Tenancy and Isolation

Design tenant isolation that actually holds — scoping queries, preventing cross-tenant data leaks, and closing the privilege escalation paths that multi-tenant architectures create.

Incident Response Basics

Build the detection, containment, communication, and postmortem practices that turn a security incident from a chaotic crisis into a structured, survivable process.