Introduction: Why the series?

Hi everyone. I am Victor and I'm glad to have you here. I have decided to make my contribution to solving a problem that currently plagues everyone in one way, shape or form. The problem of security.

This is the beginning of a series of posts relating to DevSecOps. In this series, we will go through what it takes to implement a fully functional DevSecOps pipeline while comprehensively securing our API. We will build out a simple Todo API (Might do the front-end later) while integrating security every step of the way. We will revise various security implementations as the project matures. Essentially, I want to build the most secure backend possible.

Disclaimer: This is my first time blogging, but you should see improvement over time.
I will illustrate various concepts using various tools and will implement this API following the defense-in-depth principle at all levels. Without much further ado, let's dive into it!

For the API, I will use the Django framework and other supporting libraries.

What is "Defense In Depth" and why is it important?

This is a cybersecurty strategy that uses multiple layers of security controls to protect assets. This way, if one measure 'fails', another can cover for this shortfall. This, however, is not to be confused with layered security as this is largely viewed as the practical implementation of Defense-in-depth. Some will describe layered security as multiple implementations of solutions that are geared towards achieving the same thing e.g. multiple firewalls.

We can use the analogy of securing a house. You have door locks everywhere, a gate, perhaps even a dog, security guard and a highly sophisticated alarm system with CCTV cameras and other gizmos.
By applying this approach, it becomes harder to attack and infiltrate the house.
This series will focus on three core layers of security:

  1. API Security - Authentication, Authorization, Auditing, rate limiting, input validation (and other items we may need to consider)
  2. Data Protection - Encryption, secure storage, data integrity
  3. Network Security - Firewalls, DDOS protection, intrusion detection.

The First Layer: Secure API Design Principles

Before writing a single line of code, we need to establish guiding security principles:

🔒 Zero Trust

"Never trust, always verify." Every request must be authenticated and authorized, even if it comes from within our system.

📏 Principle of Least Privilege (PoLP)

Users, services, and components should only have the minimum access they need to perform their tasks—nothing more.

🚨 Fail Securely

Errors should be handled gracefully. No sensitive data (e.g., stack traces, database errors) should be exposed in API responses.

⚙️ Secure by Default

Security shouldn’t be an opt-in feature; it should be the default. Whether it’s using HTTPS, enforcing strong passwords, or enabling logging, the safest option should always be the easiest to use.

Additionally, we will work towards implementing security checks at the developer machine level, such as pre-commit checks for code before it is pushed to the repository.

Next Steps: Laying the First Security Foundations

In the next post, we’ll take these principles and start implementing them in code. We’ll focus on:
✅ Choosing the right authentication mechanism (OAuth2, JWT, or something else?)
✅ Setting up secure API routes (handling authentication, authorization, and role-based access control)
✅ Implementing proper request validation to prevent common attacks like SQL injection and XSS

This is just the beginning. By the time we’re done, this won’t be just another API—it’ll be a fortress.

👉 Stay tuned! Let’s build something secure together.