Skip to content
System Design

Security

Scope

The principles, practices, and protocols for defending systems against attacks and ensuring the confidentiality, integrity, and availability of data.

Why This Topic Exists

Security is not a feature to be added later; it is a fundamental, cross-cutting concern in system design. A single vulnerability can compromise user data, cause significant financial damage, and destroy trust in a product or company.

Core Tradeoffs

  • Security vs. Usability: Overly strict security measures (e.g., complex password policies, aggressive session timeouts) can frustrate users and reduce adoption.
  • Performance vs. Encryption: Encryption and other security checks add computational overhead, which can impact system latency and throughput.
  • Granularity of Permissions vs. Simplicity: Fine-grained access control (e.g., RBAC, ABAC) provides better security but is more complex to implement and manage than a simpler, all-or-nothing model.
  • Fail-Open vs. Fail-Closed: In the event of a failure in the authorization system, do you deny all access (fail-closed) for security, or allow all access (fail-open) for availability?

Common Failure Modes

  • “Defense in Depth” in theory, not practice: Relying on a single security layer (like a firewall) while leaving internal services unprotected and overly permissive.
  • Leaking Sensitive Information: Exposing secret keys, personal data, or internal system details in logs, error messages, or version control.
  • Ignoring the Principle of Least Privilege: Granting services or users broad permissions “just in case,” which dramatically increases the blast radius of a compromise.
  • Insecure Defaults: Systems that are insecure out-of-the-box and require users to manually enable security features.

Interview Signals

Strong candidates talk about security as a mindset that is integrated into every stage of the development lifecycle. They can clearly distinguish between authentication and authorization, describe common vulnerabilities like the OWASP Top 10 (XSS, SQL Injection), and discuss defense-in-depth strategies, including the role of encryption in transit and at rest.

  • Authentication
  • Authorization
  • Communication
  • Databases
  • CDN