From 609a75aa00ab06ce35c732da182cd65efb33119f Mon Sep 17 00:00:00 2001
From: Donne Martin <donne.martin@gmail.com>
Date: Thu, 2 Mar 2017 19:44:33 -0800
Subject: [PATCH] Add Security section

---
 README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README.md b/README.md
index aefc61a..ce770bb 100644
--- a/README.md
+++ b/README.md
@@ -1628,3 +1628,19 @@ REST is focused on exposing data.  It minimizes the coupling between client/serv
 * [Crack the system design interview](http://www.puncsky.com/blog/2016/02/14/crack-the-system-design-interview/)
 * [Thrift](https://code.facebook.com/posts/1468950976659943/)
 * [Why REST for internal use and not RPC](http://arstechnica.com/civis/viewtopic.php?t=1190508)
+
+## Security
+
+This section could use some updates.  Consider [contributing](#contributing)!
+
+Security is a broad topic.  Unless you have considerable experience, a security background, or are applying for a position that requires knowledge of security, you probably won't need to know more than the basics:
+
+* Encrypt in transit and at rest.
+* Sanitize all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).
+* Use parameterized queries to prevent SQL injection.
+* Use the principle of [least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege).
+
+### Source(s) and further reading
+
+* [Security guide for developers](https://github.com/FallibleInc/security-guide-for-developers)
+* [OWASP top ten](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet)