Security Engineering

Introductory chapter: why security is part of architecture, what topics the section includes and how to go through it.

Practical threat modeling for security and privacy: DFD, STRIDE/LINDDUN, and prioritization of architectural controls.

How to apply OWASP Top 10 in distributed systems architecture: threat modeling, architectural controls and secure defaults.

A practical introduction to the Identification -> Authentication -> Authorization trio and modern protocols: OAuth 2.0/OIDC, SAML, WebAuthn, mTLS.

Practical analysis of ACL/RBAC/ABAC/ReBAC: how access decisions are made, canonical schemes, comparison of trade-offs and limits of applicability.

A practical introduction to asymmetric encryption, PKI/certificates, key infrastructure, and how TLS 1.3 works.

Practical API security patterns: authn/authz, rate limiting, schema validation, anti-replay, abuse prevention and secure API lifecycle.

How to securely manage secrets: secret stores, rotation, dynamic credentials, encryption-at-rest and operational guardrails.

A practical introduction to Zero Trust: principles, reference architecture, policy enforcement and phased implementation.

Software supply chain protection: SBOM, dependency hygiene, CI/CD hardening, artifact signing and provenance verification.

Practical data governance design: GDPR, Federal Law-152, data lineage, PII handling, access control and audit of data changes.

Google practices: Zero Trust, defense in depth, secure SDLC, incident response and security culture.

Speech by Christian Grobmeier on the Log4Shell crisis and practical lessons in open source security.