Jorge Laurel
Writing

Part 3: Fort Knox for Newsletters

Jorge Laurel · ·6 min read

Day 3 of a 5-part series: Building Security Into Every Layer


If you missed them, here are Part 1 and Part 2 of the series


Pop quiz: What’s the difference between a cybersecurity professional building a web app and a regular developer building a web app?

The cybersecurity professional assumes everything will be attacked, probably by someone smarter than them, definitely by someone with more time, and absolutely by someone who’s already figured out three ways to break the system before it’s even deployed.

Welcome to my paranoid world. And honestly? It’s a beautiful place to build software.

The “Assume Breach” Mentality

From the very first line of code I had the AI Agent create case on my wild idea of creating a web app, I operated under one fundamental assumption: someone, somewhere, was going to try to break this thing. Not “if”—“when.” And probably not just one person, but an entire ecosystem of threat actors ranging from bored script kiddies to sophisticated nation-state groups. Ok, maybe not nation-state but definitely bored script kiddies.

Here’s the thing about security: you don’t get to choose who targets you or why. So I decided to have the AI Agent build like I was protecting Fort Knox, even if I was just serving cybersecurity newsletters.

This mindset shaped every architectural decision, every feature implementation, and every line of code I asked the AI Agent to write.

Defense in Depth: Layers Upon Layers

I adopted a defense-in-depth strategy from day one. Think medieval castle: walls, moats, guards, and secure vaults working together. If one layer fails, the others hold. Or at least that was I intention.

Layer 1: Authentication & Authorization

The Front Gate

Firebase-based admin authentication with multi-factor options became my first line of defense. But I didn’t stop there:

  • Role-based access control with granular permissions

  • Session management with automatic expiration

  • CSRF token protection for all state-changing operations

  • Failed authentication attempt tracking with automatic lockouts

Real-world paranoia check: I implemented rate limiting on login attempts because even legitimate users sometimes become unintentional DoS attacks when they forget their passwords and hammer the login button.

Layer 2: Data Protection

The Treasure Vault

Every piece of data got the VIP treatment:

  • Input validation and sanitization for all user data (because users are creative in unexpected ways)

  • XSS prevention through content filtering and encoding

  • SQL injection protection via parameterized queries

  • Encrypted data storage for sensitive information

Layer 3: Network Security

The Castle Walls

  • HTTPS enforcement in production (obviously)

  • Security headers: CSP, HSTS, X-Frame-Options, and friends

  • Rate limiting to prevent DoS attacks

  • IP-based access controls for admin functions

Layer 4: Monitoring & Response

The Guards

  • Comprehensive security event logging

  • Suspicious activity detection and alerting

  • Automated threat response mechanisms

  • Real-time monitoring dashboards

The Security Checklist That Saved My Bacon

Throughout development, I maintained a security checklist for each major feature. This became my secret weapon (fingers crossed) against common vulnerabilities:

Authentication & Authorization

  • ✅ Strong password requirements and multi-factor authentication

  • ✅ Secure session management with proper expiration

  • ✅ All authentication events logged for monitoring

  • ✅ Role-based access with principle of least privilege

Data Protection

  • ✅ Input validation at both client and server levels

  • ✅ Output encoding to prevent XSS

  • ✅ Parameterized queries to prevent SQL injection

  • ✅ Sensitive data encrypted both in transit and at rest

Network Security

  • ✅ HTTPS enforced with proper certificate management

  • ✅ Security headers implemented and tested

  • ✅ Rate limiting configured for all endpoints

  • ✅ Network segmentation and access controls

Application Security

  • ✅ OWASP Top 10 vulnerabilities addressed

  • ✅ Error handling that doesn’t leak information

  • ✅ File upload restrictions and validation

  • ✅ Secure configuration management

The Moment of Truth: OWASP Top 10 Testing

Building security in is one thing. Proving it works is another. I had the AI Agent put the application through comprehensive OWASP Top 10 vulnerability testing, and the results were… well, let me just say that week of paranoid development paid off.

The Scorecard: 10/10 Categories Secured

A01: Broken Access Control - Role-based access control with proper authorization checks

A02: Cryptographic Failures - HTTPS enforced, sensitive data encrypted

A03: Injection - Parameterized queries and input validation blocked all injection attempts

A04: Insecure Design - Security-by-design architecture from day one

A05: Security Misconfiguration - Secure defaults and proper security headers

A06: Vulnerable Components - Dependencies updated and monitored

A07: Authentication Failures - Strong authentication with Firebase integration

A08: Software Integrity Failures - Secure deployment pipeline with integrity checks

A09: Logging & Monitoring Failures - Comprehensive security event logging

A10: Server-Side Request Forgery - Input validation and network segmentation

Clean sweep. Not a single critical vulnerability found. Yes, I know. This can, and probably will, come back to bite me, this false sense of security. Nothing is secure. Nothing.

The AI Advantage in Security

Here’s where the human-AI collaboration really shined in security implementation. My job was to think like an attacker—to understand threat models, attack vectors, and business risks. The AI’s job was to implement secure code patterns consistently and correctly.

Human Contribution:

  • Threat modeling and risk assessment

  • Security architecture decisions

  • Attack vector identification

  • Business context for security trade-offs

AI Contribution:

  • Consistent implementation of security best practices

  • Comprehensive security pattern library

  • Rapid iteration on security fixes

  • 24/7 availability for security questions

This partnership meant I could implement enterprise-grade security, hopefully, without the typical enterprise development timeline.

Three Security Lessons Learned

1. Security Debt Compounds Fast

Every security shortcut you take early becomes a bigger problem later. I learned to implement security correctly the first time rather than planning to “secure it later.”

2. Automation Prevents Human Error

I automated security testing, dependency updates, and vulnerability scanning. Humans are great at creative security thinking; we’re terrible at remembering to run the same security checks every time.

3. Defense in Depth Actually Works

Multiple times during testing, I found that while one security layer might have a theoretical vulnerability, the other layers prevented any actual exploitation. Redundancy in security isn’t waste—it’s insurance.

The Paranoia Payoff

By the end of my security implementation, the AI Agent had built something that could withstand serious scrutiny (again, fingers crossed). The OWASP testing validated the approach chosen, but more importantly, I had established security practices that would scale with the application. I hope.

Every new feature I added went through the same security-first process. Every deployment included security testing. Every code change the AI Agent implemented was evaluated for security implications.

Did this slow me (aka the AI Agent) down? Initially, yes. But it prevented the AI Agent from building security debt that would have slowed down the process much more later.

What’s Next?

In Part 4, I’ll dive into the moment of truth: putting the creation into the real world. How do you launch a platform that you’ve been building in a vacuum? What happens when actual users start using your carefully crafted features? And why did I have to rebuild the mobile interface twice?