Chapter 7: Security Architecture

Designing Secure, Resilient & Compliant Systems

🏠 Course Home

↩ Previous [Chapter 6: API Design & System Integration]

You designed a payments API, implemented a webhook, and evaluated integration strategies. Now, it’s time to ensure those integrations are secure.

Objective

To equip you with the mindset and practical tools needed to design secure systems, from authentication flows and encrypted communications to threat modeling and OWASP-aware architecture.

Why Security Is a First-Class Concern

As a Solution Architect, your goal is not only to make systems function, but to make them safe by design.

Security isn’t a feature you “add later.” It must be:

• Designed into APIs, data flows, and infrastructure
• Embedded into authentication, authorization, and access control
• Guided by frameworks like OWASP, Zero Trust, and least privilege

Threat Modeling, Thinking Like an Attacker

Threat modeling is the proactive process of identifying:

• What are we building?
• What could go wrong?
• What are we doing about it?

Tools & Techniques:

• STRIDE model (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
• Attack surface analysis
• Data flow diagrams

Architect’s Tip: Always ask, “What happens if this component is compromised?”

Authentication & Authorization

OAuth2

• Industry-standard protocol for delegated access
• Used by Google, GitHub, etc. to let users log in via third-party accounts
• Involves Access Tokens, Refresh Tokens, Authorization Server

JWT (JSON Web Tokens)

• A compact token format used to authenticate and authorize requests
• Contains user claims and is signed to ensure integrity
• Used in stateless API authentication (Bearer tokens)

Common Pitfalls:

• Storing JWTs in localStorage (vulnerable to XSS)
• Failing to validate token expiry or issuer

Data Encryption: At-Rest & In-Transit

At Rest:

• Encrypt databases, backups, and filesystems (e.g., AES-256)
• Cloud-native options: AWS KMS, Azure Key Vault

In Transit:

• Use HTTPS/TLS 1.2+ for all communications
• Avoid sending sensitive data via query params

Design Insight: Always encrypt sensitive PII and use HMAC or signature-based validation for integrity.

API & Web Security Best Practices

• Always validate input (avoid trusting client-side checks)
• Use rate limiting and throttling
• Implement CORS policies wisely
• Avoid verbose error messages in production
• Use API keys, OAuth scopes, and RBAC

Architect’s Rule: Security by default. Exposure by exception.

OWASP Top 10, Common Web Vulnerabilities

Make sure your architecture guards against:

1. Injection (SQL, NoSQL, OS)
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

Actionable Tip: Incorporate these into code reviews, design reviews, and CI/CD pipeline scans.

Lab: Secure an Exposed API with JWT

Objective: Add JWT-based authentication to an existing API

Steps:

• Generate JWT on login using secret key
• Require JWT in Authorization header on protected routes
• Validate token, expiration, and claims
• Return 401 for invalid/missing tokens

Bonus:

• Add role-based access control (e.g., only admin can DELETE)

Assignment: Find the Flaws

You’ll receive an architecture diagram (e.g., web app with microservices, DB, queue, etc.)

Your task:

• Identify 5+ security flaws or risks
• Propose architectural fixes
• Explain reasoning (e.g., unencrypted S3 bucket, missing rate limiting)

Key Takeaways

• Security is a shared responsibility, but architecture sets the tone
• Implement Zero Trust principles, never assume internal = safe
• Always design for least privilege, fail-safe defaults, and secure defaults
• Use tools (like OAuth2, JWT, KMS) wisely, misconfiguration is a top risk
• Security is not a project, it’s a mindset

Next Up → Chapter 8: Performance & Cost Optimization

Now that your system is secure and stable, the next challenge is efficiency. Learn how to architect for performance tuning, scaling, and cost control across compute, storage, and networking.

Course is powered by Techvalens

This program is brought to the developer community by Techvalens, a global technology consulting company with over 17 years of experience in building scalable digital solutions for clients across the US, Europe, and India.

We’re the minds behind Evluate AI, AI-powered hiring platform and we’re committed to empowering the next generation of tech leaders.

Follow us on LinkedIn for expert insights, system design tips, and updates on upcoming programs: linkedin.com/company/techvalens