Search tools and guides ⌘K
Multi-page · for working engineers
Security chapter

Security, the engineer's chapter

Most security material is written either for security engineers (who already know) or for executives (who do not write code). This chapter is for the engineer who ships features that authenticate users, store credentials, talk to other services, and who would like to know enough not to be the next post-mortem. The framing throughout is the same one a review uses: draw the trust boundaries, ask what crosses each one, and decide what would have to be true for the crossing to be safe. Most real incidents are not exotic. They are a secret left in a git history, a token that proves less than the code assumed, an input that reached a query unescaped: the same handful of mistakes, made again.

Five sub-pages carry the detail: threat modeling that fits in a working week, secrets management that actually rotates, the authentication primitives and how they compose, the CVE classes you meet in practice, and the small subset of cryptography that working code touches. Each is meant to be read once for the shape of it and kept as a reference for the moment a design review asks the question for real.

Five sub-pages, all live. Pairs with the TLS and PKI material in the networking section and the OAuth / OIDC explainers under how-it-works.

Deep dives

Live

01 Live

Threat modeling for engineers

STRIDE in a working week, not a PhD. The four questions, attack trees, trust boundaries, and how to keep a threat model alive past the first sprint that wrote it.

STRIDE ·attack trees ·trust boundaries ·data-flow diagrams ·risk ranking
Read
02 Live

Secrets management

Where credentials actually live, how they leak, what to do about them. Vault, AWS/GCP Secrets Manager, sealed-secrets, sops, the long argument about envvars, and rotating credentials without a downtime window.

Vault ·cloud secret managers ·sealed-secrets ·envvars ·rotation
Read
03 Live

Authentication primitives

Passwords, sessions, JWTs, OIDC, mTLS, passkeys. What each one actually proves, where it goes wrong, and how the pieces compose into a working sign-in flow.

sessions ·JWT ·OIDC ·mTLS ·WebAuthn / passkeys
Read
04 Live

The CVE classes you actually meet

SQL injection, deserialization, SSRF, prototype pollution, path traversal, ReDoS, auth bypass. The half-dozen vulnerability classes that account for almost every real incident in a working web app.

injection ·deserialization ·SSRF ·path traversal ·ReDoS
Read
05 Live

Crypto for the engineer who is not a cryptographer

Symmetric vs asymmetric, AEAD, the do-not-roll-your-own list, hashing for storage vs hashing for integrity, what a nonce is for, when JWT is the wrong answer.

AEAD ·hashing ·nonces ·KDFs ·do-not-implement
Read
Start here
Threat modeling for engineers
The other four pages are easier to place once you have a way to ask what could go wrong. Draw the data-flow diagram, mark the trust boundaries, walk STRIDE across each crossing, and rank what you find. The page does it on a real service in a working week, not a quarter.
Where to go from here

Adjacent material on the site

Security shows up across the site — TLS in the networking stack, OAuth and OIDC as how-it-works explainers, JWTs as a simulator. The links below are the parts of Semicolony that pair most tightly with this chapter.

Related Concepts Related Concepts
Guide TLS — how it works Guide OAuth — how it works Guide OIDC — how it works Simulator JWT lifecycle simulator Study Path TLS in the networking stack