Interactive Lesson on Implementing Cybersecurity Principles to Programming
The world's most significant cyberattacks often start with a simple vulnerability in a piece of code. Think of the Log4j vulnerability from a few years ago. A small bug in a common logging library was discovered, and suddenly, millions of websites and applications were at risk of being completely taken over. It was a wake-up call for the entire industry.
In this lesson, you'll learn the key principles of secure coding to make sure you're building software that's not just functional, but also safe.
Let's start with a true story. In 2025, a massive security oversight in an AI chatbot for McDonald's job applicants exposed personal information for over 64 million people. Security researchers managed to crack the chatbot with the password "123456" . This is a perfect example of how a simple, hardcoded password can have huge consequences. [Source]
Let's take a quick moment to discuss.
1. Discussion: Has anyone here ever had one of their online accounts hacked or know someone who has? What happened?
Before we dive deeper, let's make sure we're all on the same page with some fundamental programming concepts. This interactive primer will help you get started with the basics of code.
The McDonald's incident was a classic case of bad password management. But what about your own passwords? Let's find out how strong they really are.
Enter a password to test its strength. Try a common one like `password123` and then a more creative one!
A Harsh Reality Check from 2025:
In an incident this year, 184 million Google and Apple passwords were leaked from an unsecured database. Most of these were simple words or were passwords that were reused across multiple sites, making them easy targets. This is why a strong, unique password is the first line of defense. [Source]
Now let's see how hashing works. This interactive demo will show you the difference between a plain text password and a hashed one.
If a database gets breached and you've stored passwords in plain text, you've just given every user's account away. The modern approach is to "hash" the password. Hashing is a one-way function. You can create a hash from a password, but you can't get the original password back from the hash.
Watch a video on password hashing best practices here.
The following code is insecure. It just stores the password as-is. Your task is to fix it by using a hypothetical `hash()` function. You'll also need to add a "salt" to make it even more secure. A salt is a unique, random string added to the password before hashing. You can make up the salt value.
function registerUser(username, password) {
// Problem: Storing plaintext password
const user = {
username: username,
password: password
};
saveToDatabase(user);
}
Your Secure Code:
The Microsoft Teams vulnerability from August 2025 exposed how a seemingly small flaw in handling external links could be exploited to steal sensitive information. Attackers could trick users into clicking a malicious link that would run a script, and because the system wasn't properly sanitizing the input, it allowed the script to execute. The root cause was a lack of proper input validation. [Source]
Below is a simple piece of code that simulates how a user profile might be updated. It looks harmless, but it has a major security flaw.
function updateUserProfile(username, newBio, newWebsite) {
const userProfile = {
username: username,
bio: newBio,
website: newWebsite
};
// The flaw is somewhere here!
saveProfileToDatabase(userProfile);
showMessage("Profile updated successfully!");
}
What is the major security flaw in this code?
Now it's your turn to become a security analyst. I'm going to split you into seven groups. Each group will investigate a real data breach from 2025. Your mission is to act as a "response team" and answer the following questions:
Here are your assignments:
As you've seen, every line of code you write has security implications. By internalizing a few key principles, you can drastically reduce vulnerabilities.
Always assume any data coming from a user is malicious. Use validation and sanitization to filter and cleanse input before it's processed or stored. This is the first and most critical line of defense against many common attacks like SQL injection and cross-site scripting (XSS).
Never store passwords in plain text. Use strong, one-way hashing algorithms like bcrypt or Argon2 with a unique salt for every user. If your database is breached, the attacker will only have an unusable string of characters, not the actual passwords.
Your code should only have the permissions it absolutely needs to perform its function. For example, a web application should not have administrator access to the database. Limiting permissions minimizes the damage an attacker can do if they manage to compromise your system.
Regularly update your software, libraries, and frameworks. This ensures you have the latest security patches and are protected against known vulnerabilities that have been discovered and fixed by the community.
Always be asking, "How could someone break this?" or "What's the worst-case scenario if this data is compromised?" Proactive thinking is the best way to prevent attacks before they even start.
In just a short time, you've learned to recognize and fix some of the most common and dangerous vulnerabilities. The principles of secure coding are about thinking like an attacker: "How could someone misuse this?" and building defenses against those threats.
Remember: secure coding is a mindset, not just a set of rules. As you continue to learn and build, always be thinking about how you can write code that is not only smart but also safe for everyone who uses it.