Security Concepts

The sum of all entry points an attacker could potentially exploit: public APIs, open ports, input fields, third-party dependencies, employee credentials. Reducing the attack surface is a primary security goal — disable unused features, close unused ports, remove unused dependencies.

"Removing the legacy FTP endpoint reduced our attack surface significantly — it was only used by one internal tool that we've now migrated to SFTP."

A structured analysis of potential threats to a system: who might attack it, what they want, how they could attack, and what the impact would be. STRIDE is a common framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Done early in the design phase.

"The threat model for the payments API identified four high-priority threats: credential stuffing on the auth endpoint, SQL injection in the search filter, stolen JWT tokens from compromised clients, and insider data exfiltration via the admin export API."

CVE (Common Vulnerabilities and Exposures): a numbered identifier for a specific publicly known vulnerability (e.g., CVE-2021-44228 for Log4Shell). CVSS (Common Vulnerability Scoring System): a 0–10 severity score. Critical: 9.0–10.0. High: 7.0–8.9. Medium: 4.0–6.9. Low: 0.1–3.9.

"Log4Shell (CVE-2021-44228) had a CVSS score of 10.0 — the maximum critical severity. We had to patch every system using Java logging within 24 hours."

The Open Web Application Security Project's list of the ten most critical web security risks. The current list includes: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Data Integrity Failures, Logging Failures, SSRF. Used as a baseline checklist for secure development.

"Our quarterly security review uses the OWASP Top 10 as a checklist — we map each category to our own controls and identify any gaps. Broken access control is our highest-risk category this quarter."

An attack where untrusted data is sent to an interpreter as part of a command or query. SQL injection: malicious SQL in user input. XSS (Cross-Site Scripting): malicious JavaScript injected into a page. Command injection: malicious shell commands in user-supplied parameters. Prevention: parameterised queries, input validation, output encoding, Content Security Policy.

"The search endpoint was vulnerable to SQL injection — the user input was being interpolated directly into the query. Switching to parameterised queries with prepared statements fixed the vulnerability."

Authentication (AuthN): verifying who you are — proving identity. Common methods: password, MFA, certificate, SAML, OIDC. Authorisation (AuthZ): verifying what you are allowed to do — enforcing permissions. Common models: RBAC (role-based), ABAC (attribute-based), ACL. 401 Unauthorized = not authenticated. 403 Forbidden = authenticated but not authorised.

"The bug allowed any authenticated user to access any other user's invoice — authentication was working correctly (we knew who you were) but authorisation was broken (we weren't checking if you owned that resource)."

Encryption at rest: data stored on disk (databases, file systems, backups) is encrypted. Encryption in transit: data moving over the network is encrypted, typically using TLS 1.2+. Both are required for a compliant, secure system. Symmetric encryption uses the same key to encrypt and decrypt. Asymmetric encryption uses a key pair (public + private key).

"All databases are encrypted at rest using AES-256, and all inter-service communication is encrypted in transit via mTLS. In a compliance audit, these are typically the first two items inspected."

A compact, self-contained token for transmitting claims between parties. Consists of three base64-encoded parts: header (algorithm), payload (claims: user ID, roles, expiry), and signature (verifies the token hasn't been tampered with). The server can validate a JWT without a database lookup. Short expiry times limit the blast radius of a stolen token.

"We sign JWTs with RS256 (RSA + SHA-256) — the private key signs, public keys verify. This means our API gateways can validate tokens without access to the secret, reducing the risk of key exposure."

A security principle: every user, service, or process should have only the minimum access rights needed to perform its function — no more. Reduces blast radius: if a component is compromised, the attacker gains only limited access. Applied to IAM roles, database users, OS users, API scopes.

"The batch job's service account had full admin access to the database because the developer chose the easiest option. We applied least privilege — the account now has SELECT on three tables only. When it was compromised two months later, the attacker could read but not modify data."

A security model where no user, device, or network connection is inherently trusted — every request is always verified, regardless of whether it comes from inside the corporate network or outside. Replaces the "castle and moat" model where internal network traffic was trusted by default. Requires: identity verification on every request, device health checks, network segmentation, least privilege.

"After the breach, we moved to a zero trust model — even internal services now present a certificate and a valid JWT to each other. There is no implicit trust based on being on the same network."

Authentication requiring two or more verification factors: something you know (password), something you have (TOTP code, hardware key), something you are (biometric). MFA significantly reduces account takeover risk — even if a password is stolen, the attacker cannot log in without the second factor.

"After enabling mandatory MFA for all admin accounts, our phishing simulation success rate for account takeover dropped from 12% to 0% — stolen passwords are useless without the hardware token."

Authorised, simulated attack on a system to identify vulnerabilities before malicious actors do. A penetration tester (pen tester) attempts to exploit the system using the same techniques as real attackers. Types: black box (no prior knowledge), white box (full access to code and architecture), grey box (partial knowledge). Distinguished from a vulnerability scan (automated tools only).

"The annual pen test found a privilege escalation vulnerability in the admin API — the tester started as a read-only user and obtained admin access in three steps. The finding was critical severity and patched within 48 hours."

Security Information and Event Management — a system that collects and correlates log data across all components (servers, network devices, applications) to detect security threats in real time. Correlates events that appear harmless individually but together indicate an attack (e.g., failed login + successful login from a different country + large data export).

"The SIEM detected the breach before any human did — it correlated three events: a successful login from an unusual IP, an immediate bulk API request pattern, and a large data export. The automated alert fired in 4 minutes."

An incident where unauthorised parties access, steal, or expose sensitive or confidential data. Legal notification requirements (GDPR Article 33: 72 hours to notify supervisory authority; GDPR Article 34: notify affected individuals without undue delay for high-risk breaches). Categories: accidental exposure, external attack, insider threat.

"The data breach involved 48,000 user records including hashed passwords and email addresses. We notified the Data Protection Authority within 48 hours of confirmation and began emailing affected users within 72 hours."

The process of reporting a security vulnerability to the affected organisation. Responsible disclosure (coordinated disclosure): the researcher reports privately, the organisation fixes it, then both parties publish details. Bug bounty programmes formalise this by offering financial rewards. Responsible disclosure timelines: typically 90 days before public disclosure regardless of fix status.

"A security researcher found a SQL injection in our API and followed responsible disclosure — they gave us 90 days to fix it before publishing. We patched it in 12 days and acknowledged their contribution in the security advisory."

Psychological manipulation of people to divulge confidential information or perform actions that compromise security. Phishing: fraudulent emails impersonating trusted entities. Spear phishing: targeted phishing. Vishing: voice/phone phishing. Pretexting: fabricated scenario to extract information. Often the most effective attack vector — technology doesn't fix human behaviour.

"The attacker didn't hack our systems — they called our IT helpdesk pretending to be a new employee who had been locked out and needed their password reset. Social engineering bypassed all our technical controls."