Security Fundamentals & OWASP
Core Security Concepts
Every security interview begins with fundamentals. This lesson covers the essential concepts that interviewers use to assess your foundational knowledge.
The CIA Triad
The foundation of information security:
| Principle | Definition | Example Threats |
|---|---|---|
| Confidentiality | Only authorized parties can access data | Data breaches, unauthorized disclosure |
| Integrity | Data remains accurate and unaltered | Tampering, man-in-the-middle attacks |
| Availability | Systems accessible when needed | DDoS attacks, ransomware |
Interview Question: "How would you ensure CIA for a healthcare patient portal?"
Strong Answer Framework:
- Confidentiality: Encryption at rest and transit, RBAC, audit logging
- Integrity: Input validation, checksums, digital signatures
- Availability: Redundancy, DDoS protection, disaster recovery
Authentication vs Authorization
A classic interview question that trips many candidates:
| Concept | Question It Answers | Examples |
|---|---|---|
| Authentication (AuthN) | "Who are you?" | Passwords, MFA, biometrics |
| Authorization (AuthZ) | "What can you do?" | RBAC, ABAC, ACLs |
# Interview Example: Identify the vulnerability
def get_user_data(user_id, request):
# AuthN: Verify user is logged in
if not request.user.is_authenticated:
raise AuthenticationError("Not logged in")
# BUG: Missing AuthZ check!
# Should verify request.user.id == user_id
# This is an IDOR vulnerability
return database.get_user(user_id)
Defense in Depth
Multiple layers of security controls:
┌─────────────────────┐
│ Physical Security │
│ ┌───────────────┐ │
│ │Network Security│ │
│ │ ┌───────────┐ │ │
│ │ │ Host │ │ │
│ │ │ ┌───────┐ │ │ │
│ │ │ │ App │ │ │ │
│ │ │ │┌─────┐│ │ │ │
│ │ │ ││Data ││ │ │ │
│ │ │ │└─────┘│ │ │ │
│ │ │ └───────┘ │ │ │
│ │ └───────────┘ │ │
│ └───────────────┘ │
└─────────────────────┘
Layers:
- Physical: Access controls, badges, cameras
- Network: Firewalls, IDS/IPS, segmentation
- Host: OS hardening, EDR, patch management
- Application: Input validation, SAST/DAST, WAF
- Data: Encryption, DLP, access controls
Least Privilege Principle
Grant minimum permissions necessary for a task.
Interview Scenario: "A developer needs to debug production issues. What access would you grant?"
Poor Answer: "Give them admin access to production."
Strong Answer:
- Read-only access to logs and metrics
- Time-limited access with approval workflow
- No access to PII or secrets
- Full audit trail of actions
Trust Boundaries
Where data crosses between different trust levels:
┌──────────────────────────────────────────────────┐
│ INTERNET │
│ (Untrusted Zone) │
└────────────────────┬─────────────────────────────┘
│ ◀── Trust Boundary 1
┌────────────────────▼─────────────────────────────┐
│ DMZ │
│ (Semi-trusted Zone) │
│ [Load Balancer] [WAF] [API Gateway] │
└────────────────────┬─────────────────────────────┘
│ ◀── Trust Boundary 2
┌────────────────────▼─────────────────────────────┐
│ INTERNAL NETWORK │
│ (Trusted Zone) │
│ [App Servers] [Databases] [Internal Services] │
└──────────────────────────────────────────────────┘
Key Interview Point: Every trust boundary crossing requires validation and sanitization.
Pro Tip: When asked about any security design, start by identifying trust boundaries. This demonstrates systematic thinking.
Next, we'll dive into the OWASP Top 10 2025—the vulnerabilities you'll be quizzed on in every security interview. :::