The Cost of Insecurity

1. Cost Curve Calculator

Move the slider to choose when a bug is found and see how cost grows exponentially as fixes are delayed. This demonstrates the "shift-left" principle: the earlier bugs are found, the cheaper they are to fix (Chung et al., 2014).

Phase: Requirements

Bug type

Estimated fix cost (illustrative)

$1,000

Tip: choose different bug types to see relative severity and remediation effort.

Relative multiplier

Cost curve across phases

Note: numbers are illustrative to emphasise the exponential relationship between discovery timing and remediation cost.

Research prompt: "Explain why defect remediation cost grows across development phases and examples of effective 'shift-left' testing practices."

2. CIA Triad Sorter

Drag each breach example into the correct pillar: Confidentiality, Integrity, or Availability.

Customer emails leaked from backup

Database records corrupted after bad migration

DDoS attack bringing site offline

Unauthorized price changes in DB

Exposed API key in public repo

Ransomware encrypted backups

Confidentiality

Integrity

Availability

Research prompt: "How do confidentiality, integrity, and availability incidents differ? Give real-world breach examples for each and mitigation strategies."

3. Security vs. Functionality Balance

Allocate a budget between 'New Features' and 'Security Audits' and run a simulated stability test.

Security Budget: 50%

Stability

Adjust the expected user base to see how exposure increases operational risk.

Simulated active users: 1,000

Result:

Balanced

Hint: too low security produces fragile products; too little feature investment may hurt competitiveness.

Research prompt: "Describe approaches to balance security investment and feature velocity; include cost models and org patterns (e.g., SRE, security champions)."

4. Vulnerability Quiz

Click the line that looks suspicious (example: SQL injection risk).

      1: const user = req.query.user;
      2: const q = `SELECT * FROM users WHERE name = '${user}'`;
      3: db.query(q, (err, rows) => res.json(rows));

Research prompt: "What is SQL injection, how can it appear in Node.js code, and how do parameterized queries prevent it? Provide example fixes."

5. Case Study Analysis

Read the scenario and select which security steps the startup skipped.

Scenario

Startup Launchly shipped an MVP quickly. They stored production secrets in plaintext, delayed setting up TLS, and only had one developer with admin access. After growth, attackers accessed keys and exfiltrated customer data.

Use TLS for production
Rotate and store secrets safely
Limit admin access (principle of least privilege)
Regular security audits
Use a key management service (KMS)
Implement logging and alerting for access

Learning Goals

Understand exponential cost growth when fixing bugs late.
Identify impacts on Confidentiality, Integrity, Availability.
See trade-offs between feature velocity and security.
Spot simple vulnerabilities in code.
Recognize foundational security practices for startups.

References

Chung et al., 2014 — emphasize early security integration and cost effects.

Quick Tips

Shift-left security: include reviews early.
Automate basic checks (linting, dependency scanning).
Use least privilege and rotate secrets.

Beginner Tips

Beginner mode reveals explanations and helpful hints for each activity. Toggle the "Beginner mode" checkbox in the header to expand per-section guidance and example mitigations.

When enabled the page will auto-open brief explanations, mitigation suggestions, and friendly recommendations to help newcomers understand the trade-offs in each activity.