security-fundamentals
Concept of the skill
What it is: Security fundamentals are the design principles and threat-modeling habits that decide whether a system can safely handle data, identity, and authority under adversarial conditions.
Mental model: Start with assets, adversaries, trust boundaries, and privileged actions. Every mitigation should be traceable to what crosses a boundary, who controls each side, what can go wrong, and how much damage remains if the boundary fails.
Why it exists: Security added after the system works is expensive and incomplete. Designing security in early makes attacks harder, slower, easier to detect, and smaller in blast radius.
What it is NOT: It is not an OWASP deep audit, LLM prompt-injection architecture, vendor webhook mechanics, scanner configuration, cryptographic primitive implementation, or legal compliance workflow.
Adjacent concepts: owasp-security owns category-specific application-security review; prompt-injection-defense owns LLM instruction-channel threats; type-safety carries validated values after boundary parsing; api-design and http-semantics shape public interfaces; webhook-integration owns vendor webhook mechanics.
One-line analogy: Security fundamentals are like structural engineering for software: load-bearing decisions must be in the design before people move in.
Common misconception: A pile of controls is not the same as a security argument; controls matter only when they are placed at the right trust boundaries and fail safely.