Collection 01

Software Security Primer

Adapted from "Software Security: Why We Keep Shooting Ourselves in the Foot" and Patch Murphy's own late-night war stories.

View the original deck Watch the companion video
Software security abstract

Lesson 01

Test the weird stuff first.

A programming 101 assignment taught Patch that happy paths rarely fail; it's the professor typing "maybe" that wrecks your demo.

The 20 Questions disaster

The class built guess-a-thing games. Nobody enforced the question limit. Inputs were free-form. Demo day became a live-fire exercise in missing constraints: infinite loops, negative numbers, and one spectacular crash when the professor typed "maybe" instead of "yes".

Takeaway: Spell out constraints. Write tests for upper bounds. Validate vocabulary. If your user can type it, your code should expect it.

  • Budget 30% of build time for destructive testing.
  • List every assumption a user could break.
  • Let automation hammer those assumptions nightly.

Lesson 02

Never trust the client.

Network programming lab, week one. Coffee hits desk. Chalkboard screams the mantra.

Malformed everything

Learning sockets in C meant staring down packet captures. The professor spoofed source addresses, overflowed buffers, and swapped credentials mid-session simply because the client said it could. Every demo ended with "the client lies; verify anyway".

Takeaway: Validate at every layer. Authenticate with context. Enforce authorization on the server, not the UI.

  • Assume inputs are hostile, even if they come from your own app.
  • Log and throttle anomalies before they take you down.
  • Document trust boundaries on an architecture diagram.

Lesson 03

Automate anything that steals focus.

Dot-com era deployments took ten minutes. Scripts rescued sanity and, accidentally, security.

The J2EE wait game

Deploying to early app servers meant staring at log files for "Server started". Patch wrote scripts to tail logs, grep for success, and play a sound when deployments finished. Fewer mistakes, fewer 3 AM pages.

Takeaway: Automation isn't just speed—it's consistency. Consistency is security.

  • Automate deploy verification before automating deploys.
  • Instrument scripts to alert when something drifts.
  • Version-control every helper script like production code.

Downloadable references coming soon.

Check back for checklists, threat-model worksheets, and sample repos as the series expands. Want something specific? Ping Patch.

Request a resource