Security Fundamentals
Cryptography Basics
Same key for encryption and decryption, fast performance with algorithms like AES and ChaCha20.
- Block vs stream ciphers
- Cipher modes (CBC, GCM, CTR)
- Key management and rotation
- High performance for bulk data
- File encryption at rest
- Full disk encryption
- VPN tunnel encryption
- Database encryption
Public/private key pairs using RSA or ECC, slower but enables secure key exchange and digital signatures.
- Key exchange protocols
- Digital signature support
- Certificate-based authentication
- No shared secret required
- TLS/SSL handshakes
- SSH authentication
- PGP email encryption
- Code signing certificates
One-way function for data integrity and password storage using SHA-256, bcrypt, or Argon2.
- Collision resistance
- Avalanche effect property
- Salt for password hashing
- Configurable work factor
- Password storage (bcrypt, Argon2)
- Data integrity verification
- Blockchain proof-of-work
- Git commit hashing
Message authenticity and non-repudiation using RSA or ECDSA algorithms with public key verification.
- Sign with private key
- Verify with public key
- Integrity guarantee
- Non-repudiation property
- Code signing for software
- Document signing (PDF)
- JWT token signatures
- Blockchain transactions
Authentication & Authorization
Secure password handling with strong hashing (bcrypt, Argon2), salting, and multi-factor authentication.
- Slow hashing algorithms
- Unique salts per password
- Password complexity policies
- Multi-factor authentication (MFA)
- User account systems
- Admin access control
- API key management
- Service account credentials
Authorization framework for delegated access with access tokens, refresh tokens, and scoped permissions.
- Authorization code flow
- Client credentials flow
- PKCE for mobile apps
- Token refresh mechanism
- Social login (Google, GitHub)
- API authorization
- Third-party app access
- Single Sign-On (SSO)
Self-contained tokens for stateless authentication with signature verification and claims-based authorization.
- Header, payload, signature structure
- Expiration and claims
- Stateless authentication
- Token-based authorization
- API authentication
- Microservices communication
- Mobile app authentication
- Distributed system auth
Role-based and attribute-based access control for fine-grained permissions and policy management.
- Role hierarchies
- Permission assignments
- Attribute-based policies
- Dynamic access control
- Admin panel permissions
- Multi-tenant applications
- Document access control
- Resource-level permissions
Common Vulnerabilities (OWASP Top 10)
Malicious SQL code injection through user inputs, prevented with parameterized queries and ORMs.
- Detection techniques
- Prepared statements
- Input validation
- ORM usage for safety
- Login bypass attacks
- Data exfiltration
- Database manipulation
- Privilege escalation
Injected malicious scripts (reflected, stored, DOM-based) prevented with input sanitization and CSP headers.
- Input sanitization
- Output encoding
- Content Security Policy (CSP)
- HTTPOnly cookies
- Cookie theft
- Session hijacking
- Website defacement
- Phishing attacks
Unauthorized actions using victim's credentials, prevented with CSRF tokens and SameSite cookies.
- CSRF token validation
- Referer header checking
- SameSite cookie attribute
- Double submit cookie pattern
- Unwanted fund transfers
- Account setting changes
- Data modification
- Email address changes
Broken authentication mechanisms including weak passwords, poor session management, and missing MFA.
- Multi-factor authentication
- Session timeout policies
- Secure password storage
- Account lockout mechanisms
- Credential stuffing attacks
- Brute force attempts
- Session fixation
- Password reset vulnerabilities
Secure Coding Practices
Whitelist approach with type checking, length limits, and proper encoding for all user inputs.
- Client and server validation
- Regex pattern matching
- Data sanitization
- Type enforcement
- Form input validation
- API parameter checking
- File upload validation
- Search query sanitization
TLS/SSL encryption for data in transit with certificate validation and HSTS headers.
- Encryption in transit
- Certificate validation
- Forward secrecy (PFS)
- HSTS enforcement
- HTTPS web traffic
- API communication
- Database connections
- File transfers
Secure storage and handling of secrets using environment variables, vaults, and key rotation policies.
- Encryption at rest
- Access control policies
- Audit logging
- Automatic rotation
- API keys and tokens
- Database passwords
- TLS certificates
- Encryption keys
Security event logging with anomaly detection, audit trails, and SIEM integration for threat detection.
- Log aggregation
- Real-time alerting
- Retention policies
- Compliance reporting
- Failed login attempts
- Access logs
- Error tracking
- Intrusion detection