Security Fundamentals
The mental model before the mechanisms: what you protect, from whom, and why perfection isn’t the goal.
The CIA Triad
Every security control defends one of three properties. When an interviewer asks “what does security even mean?”, this is the answer:
| Property | Question it answers | Example control | Example failure |
|---|---|---|---|
| Confidentiality | Who can read it? | Encryption, access control | Data breach, leaked S3 bucket |
| Integrity | Has it been tampered with? | Hashes, signatures, immutability | Modified transaction, supply-chain implant |
| Availability | Is it there when needed? | Redundancy, rate limiting, backups | DDoS, ransomware, deleted database |
Threat Modeling — Think Before You Harden
Security without a threat model is decoration. Ask four questions: What am I protecting? (assets) From whom? (attackers and their capabilities) Through what paths? (attack surface) What happens if it fails? (impact). Microsoft’s STRIDE is the standard checklist:
| Letter | Threat | Violates |
|---|---|---|
S | Spoofing — pretending to be someone else | Authentication |
T | Tampering — modifying data or code | Integrity |
R | Repudiation — denying an action, no proof | Non-repudiation |
I | Information disclosure — leaking data | Confidentiality |
D | Denial of service | Availability |
E | Elevation of privilege — user becomes admin | Authorization |
Walk your system’s data flows and ask each STRIDE question at every trust boundary — where data crosses from less-trusted to more-trusted territory (browser → API, API → database, service → service).
Defense in Depth & Least Privilege
Assume any single control will fail. Defense in depth layers controls so a breach of one layer meets another: WAF in front, input validation in the app, parameterized queries at the database, least-privileged DB user, network segmentation behind, monitoring throughout.
- App’s DB user can’t
DROP TABLE - Tokens scoped to needed permissions only
- Containers run as non-root
- Secrets visible only to services that use them
- One admin credential shared everywhere
- API keys with god-mode scope
- Everything runs as root “for convenience”
- Prod database reachable from every machine
Vocabulary Interviewers Test
| Term | Means | Not to be confused with |
|---|---|---|
| Vulnerability | A weakness that could be abused | Threat (the actor/event that might abuse it) |
| Exploit | Working technique abusing a vulnerability | Payload (what runs after exploitation) |
| Risk | Likelihood × impact | Vulnerability (risk needs a threat AND a weakness) |
| 0-day | Vulnerability unknown to the vendor — no patch exists | Unpatched known CVE (much more common in breaches) |
| CVE | Public identifier for a disclosed vulnerability | CVSS (the 0-10 severity score attached to it) |
The uncomfortable truth interviewers like to hear: most breaches use known, patched-months-ago vulnerabilities, weak credentials, or misconfiguration — not 0-days. Boring hygiene beats exotic defenses.
Interview Questions
What is the CIA triad — with a real failure for each?
Confidentiality (leaked S3 bucket exposing user data), integrity (attacker modifies a payment amount in transit), availability (DDoS takes the service down). Every control maps to defending at least one.
How would you threat-model a new feature?
Diagram data flows and trust boundaries, enumerate assets and who’d want them, run STRIDE at each boundary, rank by likelihood × impact, and fix top risks — accepting and documenting the rest. Security is prioritization, not perfection.
Defense in depth — why layer if each layer works?
Because each layer fails sometimes: WAFs get bypassed, validation misses a case, someone reuses a password. Independent layers turn “one mistake = breach” into “several simultaneous mistakes = breach”.
Vulnerability vs exploit vs risk.
Vulnerability: the weakness. Exploit: the working technique that abuses it. Risk: likelihood the threat exercises the weakness × the impact if it does — which is why an unreachable critical CVE can be lower risk than a reachable medium one.