What is threat modelling and why should it happen before development?
Threat modelling is a structured process for identifying security requirements and potential vulnerabilities during the design phase before code is written. It answers four questions: what are we building (architecture and data flow diagram), what can go wrong (threat enumeration using STRIDE or PASTA methodology), what will we do about it (countermeasures for each identified threat), and did we do a good job (verification that countermeasures are actually implemented). Threat modelling before development is the most cost-effective security activity: a threat identified in design can be addressed by a design decision (which costs nothing to implement) or a few lines of code. The same threat discovered in production requires patching deployed code, testing, re-deploying, and potentially notifying affected customers. Microsoft's research found that fixing a security issue in design costs 1x; fixing it in code costs 6x; fixing it post-deployment costs 100x.
How do you prevent SQL injection?
SQL injection prevention is achieved through parameterised queries also called prepared statements. Instead of building an SQL string by concatenating user input (`SELECT * FROM users WHERE email = '' + userInput + ''`), a parameterised query uses a placeholder (`SELECT * FROM users WHERE email = $1`) and passes the user input as a separate parameter. The database driver handles the separation user input is never interpreted as SQL syntax, regardless of what it contains. ORMs (Prisma, Drizzle, SQLAlchemy) use parameterised queries by default for all standard operations SQL injection through ORM-generated queries is extremely rare. The risk surfaces in raw SQL queries (when developers write `db.query('SELECT * FROM ' + tableName)` never construct SQL from user input even for table names or column names use a whitelist instead), in stored procedures (parameter handling within stored procedures must also use parameterised queries), and in ORM escape functions (some developers use ORM escape functions and string interpolation less safe than parameterised queries, which should be the default).
What is Content Security Policy (CSP) and how does it prevent XSS?
Content Security Policy (CSP) is an HTTP response header that tells the browser which resources it is allowed to load for a given page preventing the browser from loading or executing resources from untrusted sources. CSP prevents Cross-Site Scripting (XSS) by: blocking inline scripts unless they carry a server-provided nonce (`<script nonce='abc123'>` matched against CSP header's `nonce-abc123` directive a random nonce generated per request that an attacker cannot predict), blocking scripts from external domains not explicitly in the policy, and (with Trusted Types) preventing DOM manipulation without type-safe wrappers. A correctly implemented nonce-based CSP eliminates most XSS exploitation even when XSS injection points exist the attacker can inject HTML but cannot execute JavaScript because their injected script lacks the valid nonce. CSP is one of the most impactful single security controls available for web applications. Implementation note: many organisations deploy an overly permissive CSP (`unsafe-inline` or `*` wildcards) that provides no protection a strict nonce-based CSP is more complex to implement but actually prevents attacks.
What is the difference between authentication and authorisation?
Authentication answers "who are you?" it verifies the identity of the user (username/password, OAuth token, certificate). Authorisation answers "what are you allowed to do?" it determines whether the authenticated user has permission to perform a specific action on a specific resource. The most common application security vulnerability is broken authorisation specifically Insecure Direct Object Reference (IDOR): after authentication, a user accesses `/api/orders/1234` (an order that belongs to another user) by simply modifying the ID in the URL. The application verified who the user was (authentication) but failed to verify that the user owns order 1234 (authorisation). Every data-modifying API endpoint must verify both: that the request is authenticated (valid session or token) AND that the authenticated user has permission to perform this action on this specific resource (authorisation check at the resource level, not just the route level). Row-Level Security in PostgreSQL enforces authorisation at the database level a bug in application authorisation logic cannot return another user's data if RLS policies are configured correctly.
