3. Common Misconceptions About Security

Developers often underestimate risk. Here are myths that lead to insecure design:

1. "My script is too small to target."

   • Attackers automate scanning — any open endpoint or public repo can be exploited.

2. "Python handles security for me."

   • The language helps, but unsafe libraries and logic errors can still cause leaks.

3. "No one will find this code."

   • GitHub, package indexes, and backups are public targets.

Example: Exposed Secrets

# 3. Insecure: hardcoded secret
API_KEY = "super_secret_key"

# 3. Secure
import os
API_KEY = os.getenv("API_KEY")
if not API_KEY:
    raise EnvironmentError("Missing API key.")