System design : Security concepts

By understanding the most common threats lurking in the cybersecurity landscape, you equip yourself to build smarter defenses, reduce vulnerabilities, and stay one step ahead of attackers.

Below are some common threats -

Malware
Malicious software like viruses, worms, and Trojans is engineered to infiltrate, damage, or disrupt systems and steal data. It's one of the most prevalent and evolving threats in the wild.

Phishing
Cyber attackers use fake emails or websites to impersonate trusted entities, tricking users into revealing sensitive information such as login credentials or credit card numbers.

SQL Injection
By manipulating input fields in web applications, attackers can inject malicious SQL commands to bypass authentication, extract data, or even take control of the database.

Cross-Site Scripting (XSS)
Attackers inject malicious scripts into web pages that run in users’ browsers, allowing them to hijack sessions, steal data, or deface websites.

Cross-Site Request Forgery (CSRF)
This sneaky attack tricks authenticated users into performing unwanted actions (like changing settings or transferring funds) without their consent or knowledge.

Denial-of-Service (DoS) & Distributed Denial-of-Service (DDoS)
By flooding a system with excessive traffic, these attacks aim to crash or paralyze services, rendering them inaccessible to real users.

Man-in-the-Middle (MitM) Attacks
In these interceptions, an attacker secretly relays or alters the communication between two parties — potentially capturing passwords, tokens, or other sensitive data.

Insider Threats
Not all risks come from outside. Disgruntled or negligent employees with legitimate access can unintentionally or deliberately cause serious security breaches.

Zero-Day Exploits
These attacks target unknown or unpatched vulnerabilities in software before developers have a chance to fix them — making them extremely dangerous and hard to detect.

Mitigation strategies at API level – making Your API’s Safer

APIs are the building blocks of modern apps. APIs connect services and make things work behind the scenes. Let’s walk through the key concepts and tools you should know to keep your APIs safe and reliable:

Authentication – Who Are You?

This is like checking ID at a security gate. Before accessing anything, the API needs to know who is making the request.
Common methods include API Keys, JWT (JSON Web Tokens), and OAuth 2.0.
For example, logging into Instagram using your Google account uses OAuth to verify your identity.

Authorization – What Can You Do?

Once identity is confirmed, authorization decides what access the user has.
A regular user can view data, but an admin might have permission to delete it.
Techniques include OAuth scopes, RBAC (Role-Based Access Control), and ABAC (Attribute-Based Access Control).

Rate Limiting – Slow Down, Buddy

To stop spamming or overloading the system, rate limiting restricts how many times a user can call the API in a time period.
You might only allow 100 API calls per minute per user.
This protects your backend from abuse, denial-of-service attacks, and crashes.

Input Validation – Check Before You Trust

Always double-check data coming into your API. Hackers often send tricky inputs to break your app.
Proper validation helps prevent SQL Injection and Cross-Site Scripting (XSS).
For example, if a user types DROP TABLE in a name field, input validation stops it from causing harm.

CORS (Cross-Origin Resource Sharing) – Who Can Talk to Me?

CORS controls which websites can access your API.
For instance, your API might allow requests from app.mybank.com but block hacker-site.com.

API Gateway – The Security Guard for Your APIs

An API Gateway is the single entry point for all your APIs.
It handles authentication, rate limiting, logging, and routing.
Popular tools include Kong, Apigee, and AWS API Gateway.

JWT (JSON Web Token) – Your Digital ID Card

JWTs are compact tokens used to securely transmit user identity and claims.
They’re commonly used in stateless authentication, where no session is stored on the server.

OAuth 2.0 & OpenID Connect – Safe Delegated Access

These standards let users log in or grant access without sharing passwords.
For example, “Log in with Google” uses OAuth to share access securely.

HMAC & Signature Validation – Don’t Let Hackers Fake Requests

Hash-based Message Authentication Codes (HMAC) ensure that the message hasn’t been changed in transit. It’s like sealing a letter — the receiver knows if it’s been tampered with.

TLS/HTTPS – Encrypt Everything

Transport Layer Security (TLS) encrypts data sent between the client and server.
HTTPS is a must-have to prevent eavesdropping and protect sensitive data like passwords or payment info.

Security Testing – Find loop holes Before Hackers Do

Tools like OWASP ZAP, Postman Security Audit, and Burp Suite help test your API for vulnerabilities.
These should be part of your regular development and deployment pipeline.

API Threat Detection – Real-Time Security Watchdog

Beyond testing, tools like Salt Security, 42Crunch, and Noname Security continuously monitor APIs.
They detect unusual behavior, protect against zero-day attacks, and alert you to suspicious activity.

Mitigation strategies at Cloud level – building secure infrastructure

Below are best practices and tools used to reduce security risks in cloud environments. They help to create a well-guarded, resilient infrastructure by enforcing access controls, encryption, monitoring, and automated policy enforcement.

IAM (Identity & Access Management
This helps manage who can access cloud resources and what actions they can perform. Services like AWS IAM or Azure RBAC let you define permissions for users, groups, or services.

Least Privilege Principle
Only give users the exact access they need — nothing more. For example, if someone only needs to view logs, don’t let them change settings.

Encryption at Rest and in Transit
To keep data safe, it's encrypted both when stored (at rest) and while moving between systems (in transit). Cloud services use tools like KMS (Key Management Systems) for this.

Security Groups and Firewalls
These act like virtual gates that control which network traffic is allowed to reach your cloud resources, and what’s allowed to leave.

VPC Isolation and Subnetting
Your cloud resources are organized into virtual networks (VPCs). Using subnets helps limit what parts of your system are visible and accessible to the outside world.

Cloud Security Posture Management (CSPM)
These tools continuously check your cloud setup for security risks and help enforce policies. Examples include Prisma Cloud, Checkov, and AWS Config.

Cloud Web Application Firewall (WAF)
A cloud WAF filters bad or suspicious traffic before it can reach your apps. It protects against things like SQL injections or bots. Tools include AWS WAF and Azure WAF.

SIEM (Security Information and Event Management)
These systems collect and analyze security logs to detect suspicious activity. Examples include Splunk, Datadog, ELK stack, and Microsoft Sentinel.

Secret Management
Rather than hard-coding passwords or tokens, secret managers store them securely. Popular tools include AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault.

Zero Trust Architecture
This model assumes nothing is automatically trusted — even inside your network. Every request must be verified, making it ideal for hybrid and remote setups.

Compliance and Auditing
Cloud services offer tools to track what’s happening in your environment. Services like AWS CloudTrail, Azure Monitor, and GCP Audit Logs help with monitoring and meeting compliance requirements.

Multi-Factor Authentication (MFA)
Adds extra protection by requiring a second step to log in — like a text message code or authentication app — in addition to your password.

Mitigation strategies at database level – building secure foundation

To protect data at its core, databases must be designed with layered security controls. These strategies help prevent unauthorised access, detect anomalies, and ensure data remains safe, consistent, and recoverable.

Encryption at Rest
This protects stored data by converting it into unreadable code. Tools like Transparent Data Encryption (TDE) are used in databases such as SQL Server, MySQL, and Oracle to keep stored information safe even if the storage is compromised.

Encryption in Transit
When data moves between your application and the database, encryption using SSL/TLS ensures no one can read it along the way — just like sealing a letter in an envelope.

Access Control
Not everyone should see everything. Access control allows you to define roles or conditions that determine who can view or change specific data.

Database Firewall
This works like a security guard for your database, detecting and blocking suspicious SQL commands before they can do damage. Tools include Imperva and Oracle Database Firewall.

SQL Injection Prevention
SQL injections are one of the most common database attacks. Using prepared statements or ORM (Object Relational Mapping) tools can stop attackers from inserting harmful code.

Data Masking
Instead of using real user data in test environments, data masking replaces sensitive values with fake ones. This helps protect customer data during development or training.

Activity Monitoring
Tracking and analyzing how the database is accessed helps detect unusual behavior. Tools like IBM Guardium and Azure Defender for SQL watch over these activities.

Auditing & Compliance
Audit logs tell you who accessed what data and when — useful for meeting regulatory requirements. Tools like pgAudit in PostgreSQL help keep track of access history.

Backup & Disaster Recovery
If something goes wrong — like an attack or a system failure — having secure, regular backups means you can restore data and keep business running.

Password Policies
Strong passwords matter. Enforcing rules like minimum length, complexity, and expiration helps prevent unauthorised access to your database.

Vulnerability Scanning
Databases can have hidden weaknesses. Regular scans using tools like Nessus or Qualys help you spot and fix security flaws before attackers find them.

Recognising threats is only the foundation — true security emerges when strategic mitigation transforms awareness into action. Developers play a crucial role in building resilient systems that protect user trust and ensure long-term success.