How this Cybersecurity track works
- Read-focused — authorized practice only —
execution_profile: none. Study threats, controls, and secure development; optional labs on systems you own or explicit permission (DVWA locally, cloud sandboxes). - Developer-first — maps to code you write on Node.js, PHP, Django, React, and cloud config on AWS.
- Prerequisites — basic web and SQL from HTML, JavaScript, and SQL; Git for supply-chain lessons.
- Pair with — Generative AI for LLM abuse cases; Bash for log analysis on servers you administer.
Ethics: Never scan or exploit systems without written authorization. Unauthorized access is illegal.
Install on your device (macOS, Linux, Windows)
Read-focused track—use any modern browser and an editor for notes and diagrams.
macOS
- Browser: Safari or Chrome. Editor: VS Code (
brew install --cask visual-studio-code).
Linux
- Browser: Firefox/Chromium. Editor: VS Code or distro package manager.
Windows
- Browser: Edge/Chrome. Editor: VS Code (
winget install Microsoft.VisualStudioCode).
Verify: You can take notes and complete MCQs on this site.
Lab safety: Only scan or test systems you own or have written permission to test.
Cybersecurity protects confidentiality, integrity, and availability of systems and data from theft, abuse, and disruption. As a developer, you are on the front line—every API, form, and database query is a potential attack surface.
Prerequisites and how this track works
Comfort with HTML, JavaScript, PHP or Node.js, and SQL helps you map lessons to real code. Prior AWS literacy helps cloud security modules.
This track is read-focused: study threats and controls here, then apply them in projects on other tracks. No in-browser attack lab in the curriculum player.
Ethics: Only test systems you own or have written authorization to assess. Unauthorized scanning or exploitation is illegal. Use learnings to defend systems, not harm them.
Practice: Use a dedicated notes doc or threat-model diagram on paper—this track is read-focused (execution_profile: none). Optional labs run on your own vulnerable apps (DVWA, WebGoat) or cloud sandboxes—never production systems without permission.
What you will learn
- CIA triad, threat landscape, and developer security mindset
- Authentication, authorization, MFA, sessions, least privilege
- OWASP Top 10 previews: injection, XSS, CSRF, access control, misconfiguration
- TLS, encryption, segmentation, phishing awareness, secrets management
- Logging, vuln management, secure SDLC, supply chain, incident response
- Modern topics: cloud/AWS bridge, Gen AI risks, API security, compliance preview
Defense in depth
No single control stops all attacks—layer network rules, auth, input validation, monitoring, and human process. Assume breach and design recovery.
Important interview questions and answers
- Q: Why security for developers?
A: You ship features that handle credentials and PII—security is part of the definition of done. - Q: Why read-focused?
A: Attack tooling in a shared browser lab is unsafe; scenario study plus authorized local practice is the default.
Self-check
- Name two prerequisite tracks.
- What does defense in depth mean?
Challenge
Draft a one-page threat model
- Pick a login or checkout feature from a project you know.
- Draw trust boundaries and list assets (sessions, PII, payments).
- Add three STRIDE threats and one control each.
Done when: you have a threat-model sketch with boundaries, threats, and controls.
Tip: Keep a running threat-model doc—one page per feature with STRIDE columns.
Interview prep
- Ethics first?
Only test systems you own or are authorized to assess.
- Read-focused?
execution_profile: none—scenario study and authorized local labs.