Chapter 9. Security, Permissions, and Privacy

Security must be baked in. It’s not a seasoning to sprinkle onto your system at the end. Even if your company has a dedicated security team, you aren’t off the hook. You’re still responsible to protect your customers and your company.

Michael T. Nygard, Release It!, 2nd Edition (Pragmatic Bookshelf)

There is no shame in making a mistake with security. It is impossible to be perfect. But it is inexcusable to make such mistakes out of apathy, ignorance, or fear of speaking up. If you are building a prototype and don’t have time to incorporate security, ensure that your stakeholders understand the time that will be needed to secure that system and the consequences of launching without it. If you are building a new feature on a production system with real live users, you don’t get that option. The feature has to at least maintain, if not improve, the system’s current state of security.

This chapter will cover only a small portion of the security knowledge you will need to be fully effective. Any part of your system that’s not fully serverless will have its own requirements. As it is, cloud security is so complex that we’ll barely scratch the surface. The best way to learn to build more secure software is to learn about attacks and the underlying principles of security that prevent those attacks. Learning why attacks work will help you spot weaknesses or potential issues as the software is being built instead of trying to bolt on extra ...