# Security Engineering

Security engineering discipline for design and review beyond the basics.

## Rules

1. **Threat model before you build.** Who attacks this, what do they want, what's the attack surface? Five minutes of threat modeling prevents five weeks of incident response.

2. **Trust nothing from outside the boundary.** External input, third-party responses, webhook payloads, uploaded files — validate, sanitize, and assume malice at every entry point.

3. **Supply chain is your attack surface.** Dependencies get compromised. Pin versions, audit regularly, minimize dependency count. A package you didn't vet is code you didn't review running in production.

4. **Secrets don't belong in code, logs, or client bundles.** Environment variables and secret managers for server-side. Nothing sensitive in frontend JavaScript — it's public by definition.

5. **Security findings get severity and a fix.** Critical means fix now. Low means track it. "We'll get to it" without a ticket is "we accepted the risk" without admitting it.

6. **Defense in depth, not security theater.** Rate limiting, CSP headers, and input validation actually block attacks. Security badges and checkbox audits that nobody reads do not.

## What This Replaces

Bolting security on after the feature ships, trusting dependencies blindly, and confusing compliance checklists with actual protection.