Security · Fundamentals

Security Fundamentals

The mental model before the mechanisms: what you protect, from whom, and why perfection isn’t the goal.

Security Basics → Interview
01

The CIA Triad

Every security control defends one of three properties. When an interviewer asks “what does security even mean?”, this is the answer:

PropertyQuestion it answersExample controlExample failure
ConfidentialityWho can read it?Encryption, access controlData breach, leaked S3 bucket
IntegrityHas it been tampered with?Hashes, signatures, immutabilityModified transaction, supply-chain implant
AvailabilityIs it there when needed?Redundancy, rate limiting, backupsDDoS, ransomware, deleted database
Controls trade against each other: aggressive lockouts protect confidentiality but hand attackers an availability weapon (lock everyone out by spamming wrong passwords). Good design names the trade-off.
02

Threat Modeling — Think Before You Harden

Security without a threat model is decoration. Ask four questions: What am I protecting? (assets) From whom? (attackers and their capabilities) Through what paths? (attack surface) What happens if it fails? (impact). Microsoft’s STRIDE is the standard checklist:

LetterThreatViolates
SSpoofing — pretending to be someone elseAuthentication
TTampering — modifying data or codeIntegrity
RRepudiation — denying an action, no proofNon-repudiation
IInformation disclosure — leaking dataConfidentiality
DDenial of serviceAvailability
EElevation of privilege — user becomes adminAuthorization

Walk your system’s data flows and ask each STRIDE question at every trust boundary — where data crosses from less-trusted to more-trusted territory (browser → API, API → database, service → service).

03

Defense in Depth & Least Privilege

Assume any single control will fail. Defense in depth layers controls so a breach of one layer meets another: WAF in front, input validation in the app, parameterized queries at the database, least-privileged DB user, network segmentation behind, monitoring throughout.

Least privilege in practice
  • App’s DB user can’t DROP TABLE
  • Tokens scoped to needed permissions only
  • Containers run as non-root
  • Secrets visible only to services that use them
The anti-pattern
  • One admin credential shared everywhere
  • API keys with god-mode scope
  • Everything runs as root “for convenience”
  • Prod database reachable from every machine
Least privilege is the cheapest control you’ll ever deploy: it doesn’t stop the breach, it shrinks the blast radius — the difference between “one service compromised” and “everything compromised”.
04

Vocabulary Interviewers Test

TermMeansNot to be confused with
VulnerabilityA weakness that could be abusedThreat (the actor/event that might abuse it)
ExploitWorking technique abusing a vulnerabilityPayload (what runs after exploitation)
RiskLikelihood × impactVulnerability (risk needs a threat AND a weakness)
0-dayVulnerability unknown to the vendor — no patch existsUnpatched known CVE (much more common in breaches)
CVEPublic identifier for a disclosed vulnerabilityCVSS (the 0-10 severity score attached to it)

The uncomfortable truth interviewers like to hear: most breaches use known, patched-months-ago vulnerabilities, weak credentials, or misconfiguration — not 0-days. Boring hygiene beats exotic defenses.

05

Interview Questions

What is the CIA triad — with a real failure for each?

Confidentiality (leaked S3 bucket exposing user data), integrity (attacker modifies a payment amount in transit), availability (DDoS takes the service down). Every control maps to defending at least one.

How would you threat-model a new feature?

Diagram data flows and trust boundaries, enumerate assets and who’d want them, run STRIDE at each boundary, rank by likelihood × impact, and fix top risks — accepting and documenting the rest. Security is prioritization, not perfection.

Defense in depth — why layer if each layer works?

Because each layer fails sometimes: WAFs get bypassed, validation misses a case, someone reuses a password. Independent layers turn “one mistake = breach” into “several simultaneous mistakes = breach”.

Vulnerability vs exploit vs risk.

Vulnerability: the weakness. Exploit: the working technique that abuses it. Risk: likelihood the threat exercises the weakness × the impact if it does — which is why an unreachable critical CVE can be lower risk than a reachable medium one.

Quick Quiz

1. Ransomware encrypting your database primarily attacks…
2. In STRIDE, elevation of privilege violates…
3. A trust boundary is…
4. Least privilege primarily shrinks…
5. Most real-world breaches use…