> For the complete documentation index, see [llms.txt](https://www.pranaypourkar.co.in/the-programmers-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.pranaypourkar.co.in/the-programmers-guide/java/code-quality-and-analysis/quality-metrics/security.md). # Security ## About **Security**, as a quality metric, measures how well a codebase **preserves its intended behavior under adversarial conditions**. Unlike reliability, which focuses on failure under stress, security focuses on **failure under attack**. From a code-quality perspective, security is not an add-on; it is **correctness in the presence of malicious intent**. ## Security as a Property of Correctness Security is often treated as separate from correctness, but this is misleading. A system is insecure because: * It behaves correctly for honest users * But behaves incorrectly for attackers This means security failures are **conditional correctness failures**, triggered when assumptions about usage, input, or behavior are violated intentionally. High-quality code makes fewer assumptions and enforces more invariants. ## Security vs Reliability in Quality Terms Reliability asks: * What happens when things go wrong accidentally? Security asks: * What happens when someone tries to make things go wrong? The mechanisms overlap: * Input validation * Error handling * Resource control * State consistency But the intent differs. Security assumes **hostile inputs and sequences**, not just unexpected ones. ## Sources of Security Weakness in Code Security degradation in code often comes from: * Implicit trust assumptions * Over-permissive logic * Inconsistent enforcement of checks * Hidden side effects * Scattered security decisions These weaknesses are rarely obvious. They accumulate gradually and surface when systems gain exposure or value. ## Security as a Negative Space Metric Unlike performance or coverage, security is often measured by **absence**: * Absence of exploitable paths * Absence of unintended information flows * Absence of privilege escalation This makes security difficult to prove and easy to underestimate. From a quality lens, security improves when: * Code paths are constrained * Capabilities are explicit * Behavior is predictable under misuse ## Security and Change Security is highly sensitive to change. Code that was secure yesterday may become insecure when: * New features expose internal paths * Integrations change trust boundaries * Dependencies evolve * Data sensitivity increases This makes security a **dynamic quality metric**, not a static one. High-quality systems anticipate this by: * Centralizing security logic * Making assumptions explicit * Limiting blast radius of changes ## Security Debt Just like technical debt, systems accumulate **security debt**: * Known but unaddressed weaknesses * Deferred fixes * Accepted risks without documentation Security debt compounds because: * Attack techniques evolve * Exposure increases * Fixing later is harder and riskier From a quality perspective, unmanaged security debt is a leading indicator of future incidents. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.pranaypourkar.co.in/the-programmers-guide/java/code-quality-and-analysis/quality-metrics/security.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.