Cybersecurity basics
What every tech professional should know about security
You do not need to be a security engineer to understand basic cybersecurity. Here are the concepts, threats, and practices that matter for anyone working in tech.
Why every tech professional needs security basics
Security is not just the security team's job. PMs make decisions that affect user data privacy. Analysts query databases that contain sensitive information. QA engineers test authentication flows.
Every tech professional makes decisions that can create or prevent security vulnerabilities. Understanding the basics means you can catch problems before they ship, ask the right questions in design reviews, and make product decisions that protect your users.
The most common security threats (simplified)
You do not need to understand how to exploit these — you need to recognize them when they come up in tickets, design reviews, or incident reports.
Phishing
Fake emails, texts, or sites that trick people into revealing credentials. Responsible for 80%+ of breaches.
SQL Injection
Malicious code inserted into database queries via user input. Allows attackers to read or delete data.
Cross-Site Scripting (XSS)
Malicious scripts injected into web pages. Can steal session cookies and user data.
Broken Authentication
Weak passwords, no MFA, exposed session tokens. Makes accounts easy to take over.
Sensitive Data Exposure
Storing or transmitting personal data without encryption.
Insecure APIs
APIs without proper authentication that expose backend data to anyone who calls them.
The OWASP Top 10
OWASP (Open Web Application Security Project) publishes the ten most critical web application security risks. Every tech professional should know what this is — even if they cannot explain each one. If you see a security ticket referencing OWASP A01 or A03, you know it is serious.
The full OWASP Top 10 (2021) continues through A10. The three above are the most frequently exploited and the most likely to appear in your work.
Security practices every tech professional should follow
These are personal security hygiene habits — things that protect your accounts, your employer's systems, and the users who trust you with their data.
Use a password manager (1Password, Bitwarden)
Unique strong passwords for every service, stored securely.
Enable MFA everywhere
SMS is better than nothing; authenticator app (Google Authenticator, Authy) is significantly better.
Never hardcode credentials
No API keys, passwords, or tokens in code or shared documents. Use environment variables.
Assume public is public
Any link you share, file you upload, or post you make can be found by someone.
Encrypt sensitive data
Personal data (PII) should always be encrypted at rest and in transit (HTTPS).
Concepts PMs and analysts need when making product decisions
These concepts come up in product reviews, legal discussions, and engineering debates. Understanding them makes you a better collaborator and helps you ask the right questions before a decision gets made.
PII (Personally Identifiable Information)
Name, email, phone, IP address, location. Collecting it creates compliance and security obligations.
GDPR / CCPA
Data privacy regulations that dictate how user data is collected, stored, and deleted. Affects product decisions directly.
Principle of Least Privilege
Users and systems should only have access to the data they need. Relevant for permissions design.
Data minimization
Collect only what you need. Every field you collect is a liability if you are breached.
Go deeper
Explore cybersecurity careers
If this sparked an interest, see what a career in cybersecurity looks like — the roles, skills, and paths into the field.
Explore cybersecurity careers