Security — AuthN/Z, TLS, OWASP, Secrets
A deep-dive on Security — part of a 36-topic evergreen learning series.
Why this session matters
Part of a 36-topic learning series on engineering, ML, and LLM systems. Each session is a 90-minute deep-dive on one topic — designed so anyone can pick it up cold. Every two topics are followed by a revision session with recall prompts and hands-on drills.
Session 30 · SYS track 🔐
Security is invisible when it works and career-ending when it doesn't. This session covers authentication (passwords, MFA, WebAuthn, OAuth 2.0 / OIDC, JWTs), authorization (RBAC, ABAC, policy engines), TLS 1.3 handshake, the OWASP Top 10 with real examples, secret management (Vault, KMS), and threat-modeling a system.
Pre-read (30 min before session)
Watch 1–2 of these before the deep-dive:
Then skim the OWASP Top 10 2021.
Deep-dive (90 min)
1. Authentication (25 min)
Password best practices (Argon2id, per-user salt). MFA (TOTP, WebAuthn/passkeys). OAuth 2.0 flows: Authorization Code + PKCE (SPAs, mobile), Client Credentials (service-to-service), Device Code (CLI). OIDC on top for identity (id_token). JWT structure (header/payload/signature), pitfalls (alg: none, algorithm confusion, weak keys). Session cookies vs bearer tokens (SameSite, Secure, HttpOnly).
2. Authorization (20 min)
RBAC (roles → permissions → resources). ABAC (policy over attributes). ReBAC (relationship-based, Google Zanzibar model). Policy engines (OPA, Cedar). Common bugs: BOLA / IDOR (missing object-level auth), broken function-level auth.
3. Transport & storage (20 min)
TLS 1.3 handshake (1-RTT, 0-RTT with replay caveats). Cipher suites and forward secrecy. Cert management (ACME, Let's Encrypt, cert-manager on K8s). At-rest encryption (AES-256-GCM). KMS/HSM. Envelope encryption pattern.
4. OWASP Top 10 + threat modeling (25 min)
Injection (parameterize!), broken access control, SSRF, deserialization, XXE, SQLi via string concat. Threat modeling with STRIDE. Reading a security scanner report (SAST/DAST/SCA). Secrets in code — pre-commit hooks + rotation.
Reading list
- Web Application Hacker's Handbook — Stuttard & Pinto
- Real-World Cryptography — David Wong
- Threat Modeling — Adam Shostack
Research links
Hands-on drill
Write a tiny Flask app with a login form. Deliberately introduce (a) SQL injection, (b) IDOR (/order/<id> with no owner check), (c) missing CSRF token. Then fix all three. Bonus: run ZAP or Burp against it.
Post-session checklist
- Can you explain OAuth 2.0 Authorization Code + PKCE flow in 60 seconds?
- Can you explain the difference between RBAC and ABAC in 60 seconds?
- Can you explain how TLS 1.3 achieves 1-RTT in 60 seconds?
- Did you complete the hands-on drill above?
- Did you write 3 flashcards for tomorrow's recall?
- What's the one thing you'd want to revisit in the next revision session?
What's next
Session 31 continues the series. See the hub page for the full sequence and revision pattern.